$194 Million was Moved Using Bitcoin With $0.1 Fee: The True Potential of Crypto (Banks: $10,000+ Fee)

On October 16, a Bitcoin user moved 29,999 BTC worth $194 million with a $0.1 fee, a transaction which with banks would cost tens of thousands of dollars.

An often pushed narrative against cryptocurrencies like Bitcoin and Ethereum is that it is expensive to clear transactions due to fees sent to miners. However, the $194 million payment on the Bitcoin blockchain demonstrates the potential of consensus currencies to optimize cross-border payments significantly.

$1 Million Through a Bank Costs $10,000+

Transferwise is a UK-based multi-billion dollar firm that eliminates hidden fees in bank transfers. On the platform, users can send small to large payments through bank accounts with substantially lower fees.

However, even on a platform like Transferwise, to send over $1 million, it costs over $7,500 in transaction fees. That means, through wire transfers and conventional banking methods, tens of thousands of dollars are required to clear a transaction that is larger than $1 million.

Percentage-wise, $7,500 is less than 1 percent of $1 million, and in that sense, a $7,500 fee is cheap. But, on the Bitcoin network, which is supposedly highly inefficient in processing payments, it costs less than $0.1 to clear a $194 million transaction.



On October 14, publicly acclaimed cryptocurrency critic Nouriel Roubini, an economist and professor at Stern School, falsely claimed that it costs $60 to process a Bitcoin transaction and as such, it costs $63 to purchase a Starbucks latte that costs $3, using Bitcoin.

“So the cost per transaction of bitcoin is literally $60. So if I were to buy a $3 latte at Starbucks I would have to pay $63 to get it! So the myth of a ‘Brilliant new technology that reduces the vast fees of legacy financial systems!’ turns out to be a Big Fat Lie!” Nouriel claimed.

In response, respected cryptocurrency investor and Blocktower co-founder Ari Paul stated that the transaction fee of Bitcoin, which is less than $0.1, is publicly verifiable on the blockchain.

BTC fees are less than $0.10, easily verifiable. If you value truth, you’d provide a public correction. If your goal is to mislead people with simply false statements, carry on. There’s nothing to research. Fees are publicly viewable from many sources (googling it works.) I find it better not to provide a specific source because then regardless of source, the source gets attacked,” Paul noted.

Crypto Could Crack Offshore Banking Market First

As scalability of public blockchain networks improves with the integration of both on-chain and second-layer scaling solutions, cryptocurrencies will be able to handle small payments with higher efficiency.

But, in the mid-term, given the ability of the blockchain to process large-scale payments at the same cost of a small transaction, it is highly likely that cryptocurrencies will gain wide acceptance by investors and firms in the offshore banking market, a $30 trillion industry that relies on financial institutions to clear large transactions.

Spending $0.1 to $1 for a $5 to $10 transaction could be inefficient and impractical. However, spending the same fee to process multi-million dollar transactions provide cryptocurrencies a clear edge over legacy systems.


from: https://www.ccn.com/194-million-was-moved-using-bitcoin-with-0-1-fee-true-potential-of-crypto/


This is the transaction & fee:






The European Blockchain Partnership Finds Europe Getting Serious About Distributed Ledger Technology

Here’s why the European Blockchain Partnership is a big step towards widespread blockchain adoption:
European Blockchain Services Infrastructure (EBSI)
to become an international “gold standard” for large-scale DLTs.


On April 10, 2018, 21 EU member states and Norway signed up to create the European Blockchain Partnership. Including the UK, France, Germany, Sweden, the Netherlands and Ireland, they committed themselves to “cooperate in the establishment of a European Blockchain Services Infrastructure (EBSI) that will support the delivery of cross-border digital public services, with the highest standards of security and privacy.”

Since April, a further five nations have joined the Partnership, with Italy becoming the latest to do so after it signed the Partnership’s Declaration in September. As a member, it has committed itself to helping to identify, by the end of 2018, “an initial set of cross-border digital public sector services that could be deployed through the European Blockchain Services Infrastructure.”

By bringing distributed ledger technology (DLT) to European infrastructure, the Partnership hopes to make cross-border services – such as those related to logistics and regulatory reporting – safer and more efficient. However, progress towards this goal has so far been slow and piecemeal, with the Partnership’s members having had only three meetings since April. Nonetheless, it retains ambitious aims, with the European Commission telling Cointelegraph that it wants the European Blockchain Services Infrastructure (EBSI) to become an international “gold standard” for large-scale DLTs.


Still deciding

So far, the Partnership’s mission is vaguely defined. While there was already agreement in April that it would work towards developing cross-border, blockchain-based public services, there is still no actual agreement on what particular services to hone in on and develop. The European Commission’s head of Digital Innovation and Blockchain, Pēteris Zilgalvis explains:

“The Partnership’s mission is defined in the Joint Declaration and it is on that mandate that we have to deliver before the end of the year. In the Joint Declaration the signatories committed to working together and with the European Commission in order to develop an EBSI that can support the delivery of cross-border digital public services in Europe. So the description of what this services’ infrastructure [EBSI] could look like is what we are currently working on.”

In other words, the Partnership’s membership is currently at the very early stage of negotiating just what kind of blockchain-based public services to develop. However, as Zilgalvis explained to Cointelegraph, it expects to have agreed on all the fundamental details by the end of the year, so that these can be used as the basis for actually building and rolling out distributed cross-border technologies.

“As stated in the Joint Declaration, by end of 2018 the Partnership must provide a set of use cases of cross-border digital public services that could be deployed through the EBSI, a set of functional and technical specifications for the EBSI and finally, a governance model describing how the EBSI will be managed.”

A global reference for blockchain

The Partnership and its members will therefore be busy for the rest of 2018, although it has only three more meetings left to hammer out the all-important details, having already had three meetings so far. According to Finland‘s representative to the Partnership, Kimmo Mäkinen, a senior advisor at the Department of Public Sector Digitalization, the most recent meeting took place on September 17. “This was the third meeting,” he tells Cointelegraph. “The main topic was to discuss about the most prominent cross-border blockchain use-cases that had been proposed by member states and by the commission.”

As for whether the Partnership will successfully decide on all the necessary parameters before the start of 2019, Mäkinen doesn’t offer confirmation. “We will have three monthly meetings by the end of this year during which we will have to agree not only on use-cases but also technical/functional requirements and governance model for European blockchain infrastructure,” he says, his use of “not only” implying that the Partnership has a more-than sizeable workload to get through before Christmas.

Still, even though three meetings and no particular end-product hardly counts as an impressive achievement, these meetings were positive for the Partnership. More importantly, they’ve revealed a strong commitment among its members towards developing blockchain technologies, as explained by Pēteris Zilgalvis:

“At these meetings we found that the Partners were extremely supportive of collective efforts to establish strong EU leadership in distributed ledger technology, drawing on the Digital Single Market framework, and that EBSI could play a very important role in achieving this objective.”

Indeed, it would appear that the European Blockchain Partnership is being used by the European Commission as a vehicle for the EU becoming a global leader on DLT.

“In the longer term, we would like EBSI to become a global reference when it comes to trusted blockchain infrastructures,” admits Zilgalvis, “a ‘gold standard’ infrastructure that is governed through a transparent multi-stakeholder organisation, meets the most advanced cybersecurity and energy efficiency standards, is scalable to accommodate different use cases, is highly-performant in terms of speed and throughput, ensures the continuity of services on the long term, integrates eIDAS (electronic IDentification, Authentication and trust Services) and supports full compliance with the EU requirements on data protection (General Data Protection Regulation) and network information security.”

So even if the Partnership hasn’t really achieved anything concrete yet, its significance lies in the fact that it represents a massive vote of confidence in blockchain technology. By committing to it, and by aiming to build “highly-performant” blockchain tech, the Partnership’s 27 member nations have effectively declared that they believe DLT is here to stay and that it has genuine applicability to a range of areas.

Separately, each member is for their own purposes interested in blockchain tech from a variety of different perspectives, further testifying to blockchain’s growing status as a promising new solution to a range of problems. “Finland is interested and curious of new possibilities that are to be presented by blockchain technology,” acknowledges Kimmo Mäkinen, “in order to boost cross-border services for example in matters related to document authenticity, data exchange and identity management.”

Implementation mode in 2019?

Of course, while there’s little doubt that the Partnership’s signatories are completely serious about DLT, there still remains the unavoidable question of when, exactly, it will produce and begin introducing the platforms it was set up to build. Well, despite there not being anything absolutely definite on this front, Pēteris Zilgalvis states that we may begin seeing actual output as early as next year:

“These deliverables [functional and technical specifications, governance model] will be addressed to the political representatives who signed the Declaration, and if approved, the Partnership could move into implementation mode in 2019.”

Once again, this time frame is ambitious. But even if certain differences of opinion may need to be ironed out between members before implementation can begin, the target of 2019 shows just how confident the European Commission is that the Partnership’s member states are on the same page with regards to blockchain, which is further indicated by them signing its Declaration in the first place. If the Partnership does indeed follow through with its plans and implements blockchain-based cross-border infrastructure, this will only have positive ramifications and knock-on effects for wider blockchain adoption elsewhere. All of which means that the future of blockchain adoption in Europe looks increasingly bright.


from: https://cointelegraph.com/news/the-european-blockchain-partnership-finds-europe-getting-serious-about-distributed-ledger-technology




Bitcoin’s Time Locks

Bitcoin, having no discernible faults, comes equipped with several different time locks. These tools allow you to specify time-based conditions under which transactions are valid. Using time locks you make a transaction now that pays someone next week, add a mandatory waiting period for coin movements, set up complex smart contracts that flow across several transactions, or accidentally lock up your coins for centuries.

Most of these time locks were added to Bitcoin quite recently. They’re built into the structure of transactions, and have more than a few idiosyncrasies left over from buggy code written by our favorite anonymous cypherpunk, Mr. Nakamoto. The corresponding Bitcoin Improvement Proposals (BIPs) are wonderful and detailed, but assume a lot of background knowledge. This is an attempt to compile all the information I can find on the time locks, and explain it in depth.

Classifying Time Locks

Before we dive into the tools themselves, let’s figure out how to describe their operation. Time locks have three important attributes: location, targeting, and metric.

Location: Transaction vs. Script

Time is the longest distance between two places.
— Tennessee Williams

Time locks can be found in the transaction itself and/or in its Pay to Script Hash (P2SH) inputs’ associated scripts. Every transaction has multiple time lock fields (they’re present even when not used). Scripts, on the other hand, can have zero or many time locks. In terms of functionality, transaction-level and script-level locks are superficially similar, but perform very different roles. Transaction-level time locks cause a transaction to be invalid until a certain time, regardless of the validity of the signatures and scripts. Script-level time locks will cause script evaluation to fail unless the transaction is also locked. A failed script evaluation makes the transaction invalid. In a nutshell, transaction-level locks determine when a transaction may be confirmed, while script-level locks determine whether a given scriptsig is valid.

The major difference between them is what exactly they lock. A transaction-level lock constrains only a specific transaction. Think of transaction-level locks as future-dating a check: I can write you a check that becomes valid later, but the date applies only to that check, and I could spend the money other ways you don’t know about. Script-level locks sets conditions on all transactions spending an output. In other words, Transaction-level locks affect what you can do with a transaction after it’s constructed, but Script-level locks determine what transactions can be made in the first place.

Transaction locks aren’t as useful as you might think. They don’t control coins, only spends. This is why all the fun stuff required OP_CLTV and OP_CSV. Using script-level locks and conditional logic (OP_IF) we can make complex scripts that can, for example allow multisig spends any time, or single signature spends after a certain amount of time has passed. This provides a lot of versatility to P2SH transactions.

Script-level time locks require that a corresponding transaction-level time lock is also included. Script-level locks rely on transaction-level locks for enforcement. Rather than checking the time from within the script, script-level locks check the transaction’s lock. This is elegant and economical, if a bit un-intuitive. The script checks that the transaction is locked at least as long as the script path. It treats the transaction lock as a guarantee that time has passed.

Targeting: Absolute vs. Relative

Time is an illusion, lunchtime doubly so.
— Douglas Adams

Well, really, they’re both relative. You get to choose arbitrary-origin-point-relative or previous-output-relative. But that’s the kind of meaningless pedantry I love.

When we time lock coins, we set a target for their release. Absolute locks define this target in terms of a set time. They pick an exact moment when the lock expires. Relative time locks define it as an amount of time elapsed since the previous output confirmed. It’s the difference between “meet me at 15:00” and “meet me in 4 hours.”

Transactions that are locked to an absolute time are invalid until that time has passed. This means that I can make a transaction years in advance, sign it, share it, and even post it publicly with a guarantee that it won’t be confirmed before its lock expires. I might use an absolute timestamp to send money to my children or create a savings account that you can deposit to, but can’t withdraw from until next year.

Relative locks, on the other hand, mark a transaction invalid until a certain amount of time has passed since the transaction’s previous outputs were confirmed. This is a subtle and powerful feature. The real beauty of relative lock-times is setting locks relative to un-broadcast, un-confirmed transactions. Once a transaction is confirmed, we can always set an absolute lock-time in its future. But to do that, you have to wait for it to confirm, and learn its confirmation time. Or set up a long lock in advance, which becomes an expiration time for your entire smart contract. Relative locks can be set on un-confirmed transactions, meaning that you can create and sign an entire multi-step smart contract in advance, and be guaranteed that its transactions will confirm in the order you expect, no matter when you execute it.

Metric: Blocks vs. Seconds

Then’s the time to time the time flies –
Like time flies like an arrow.
— Edison B. Schroeder

In Bitcoin, time is a consensual hallucination and lunchtime never comes. Transactions can’t exactly look at a clock on the wall, so we need to decide what “time” is. Bitcoin has two ways of measuring “time”: block number, and block timestamp. These were implemented as modes of operation for each time lock, instead of full separate lock mechanisms. You can specify a number of blocks for the lock, or a number of seconds. Both of these have their own complications. In practice, both of these metrics are accurate enough for real-world uses. But it’s important to understand their idiosyncrasies.

We often say that blocks follow a poisson distribution: they’re expected to come every 10 minutes. But this isn’t quite right. When hashpower is increasing, blocks come faster than expected. Hashpower goes offline or is pointed at other chains, blocks come slower. Difficulty adjusts every 2016 blocks (about every 2 weeks) to target 10 minutes, but blocks can slip a significant amount from where you’d expect them to be due to network conditions, or just random chance.

Timestamps are just as finicky. You see, in Bitcoin, time doesn’t always go forward. Due to consensus rules for block timestamps, time can sometimes reverse itself for a block or two. Or just stop for a minute. There are reasons for this, I promise. It pretty much always stays within a couple hours of “real” time. To make timestamp-based locks reliable in spite of this, they measure using ‘median time past’ (MTP) method described in BIP 113. Rather than using the current block’s timestamp, timestamp-based locks use the median timestamp of the previous 11 blocks. This smooths out time’s advance, and ensures that time never goes backwards.



The Locks

Now that we understand what we’re talking about, let’s talk about the tools themselves. There are four time lock options right now: nLocktime, nSequence, OP_CHECKLOCKTIMEVERIFY (OP_CLTV), and OP_CHECKSEQUENCEVERIFY (OP_CSV). Two of them are script-level, two are transaction-level.


nLocktime is the transaction-level, absolute time lock. It’s also the only time lock that was part of Satoshi’s Original Vision (SOV).

A transaction is a simple datastructure that contains fields for version, inputs, outputs, and a few other things. nLocktime has its own special field lock_time. It specifies a block number or time stamp. The transaction is not valid until that time has passed. Transactions made by Bitcoin core have the lock_time field set to the current block by default to prevent fee sniping. Times are expressed as an unsigned 32 bit integer. If time_lock is 0, it’s ignored. If it is 500,000,000 or above, it’s treated as a unix timestamp. So nLocktime can lock transactions for a 9500 years using block numbers, or until 2106ish using timestamps.

Curiously, the lock_time field is ignored entirely if all inputs have a sequence number of 0xFFFFFFFF (the max for a 32 bit integer). Opt-in Replace-By-Fee (RBF) signals similarly as described in BIP 125. Using sequence_no to signal is an artifact from Satoshi’s half-baked time lock implementation. And at this point we’d have to hard fork to change that. nLocktime and input sequence numbers were originally supposed to create a simple transaction update mechanism. The idea was that you could create a transaction with a lock-time, and then replace it by sending a new version with at least one higher sequence number.

Miners were supposed to drop transactions with lower sequence numbers from the mempool. If all inputs had the maximum sequence number, it meant there could be no more updates, and the transaction could clear regardless of the time lock. This was never fully implemented, and later abandoned. In a curios slip up, Satoshi seems to have assumed good behavior, which is not a reasonable assumption in Bitcoin. It’s impossible to guarantee that miners will see updated transactions, or drop older version if they do see newer ones. Miners will mine the most profitable version of a transaction, not the latest.

nLocktime examples:

# Most of the transaction is omitted. Using decimal for human readability.
# Using hex for sequence numbers due to the presence of flags.
# Transaction is invalid until block 499999999 (this is a Bad Idea)
  lock_time: 49999999
# Transaction is invalid until the MTP is 1514764800 (1/1/2018 0:00:00 GMT)
  lock_time: 1514764800
# No lock time. Transaction is valid immediately.
  lock_time: 0
# nLocktime lock is not in effect, because all sequence numbers are set to 0xFFFFFFFF
  lock_time: 3928420
    sequence_no: 0xFFFFFFFFnSequence

nSequence is the transaction-level relative time lock (technically, nSequence is actually input-level, more later). It repurposes the old sequence_no field of each input to invalidate transactions based on the time elapsed since the previous outputs’ confirmations. nSequence locks were introduced in BIP 68 and activated by soft fork in mid-2016. Satoshi gave us lemons, and we made nSequence time locks.

Sequence numbers have been around since the beginning. But because transaction replacement was never implemented (and wouldn’t have worked in the long run anyway), they became cruft. For years, the only thing they could do was disable nLocktime. Now, sequence numbers are used to enforce relative time locks on the the transaction level as described in BIP 68. nSequence locks are set on each input, and measured against the output that each input is consuming. This means that several different time lock conditions can be specified on the same transaction. In order for a transaction to be valid, all conditions must be satisfied. If even a single sequence lock is not met, the entire transaction will be rejected.

Bitcoin developers are amazing at upcycling, but sometimes you end up with a few knots in the wood. Because nSequence time locks re-purpose the existing sequence_no field, it has a few idiosyncrasies. The sequence field is 32 bits, but we can’t use all of them, as it would interfere with nLocktime and RBF signaling. In addition, sequence_no is one of the few places where we have leeway to make future changes. To balance these demands, nSequence was built to use only 18 of the 32 bits. This conserves 14 bits for any future uses we can come up with.

Two bits are flags that tell the node how to interpret the sequence_no field. The most significant bit is the disable flag. If the disable flag is set, nSequence locks are disabled. If the disable flag is not set, the rest of the sequence_no field is interpreted as a relative lock-time. Bit 22 (the 23rd least significant bit), is the type flag. If the type flag is set, the lock is specified in seconds. If the type flag is not set, the lock is specified in blocks.

The least significant 16 bits of the sequence_no are used to encode the target time. Unlike nLocktime, nSequence uses only 16 bits to encode the lock-time. This means nSequence time locks are limited to 65535 units. This allows for locks up to about 455 days when using blocks, but would only allow about 18 hours in seconds. To mitigate this, nSequence does not measure in seconds. Instead it uses chunks of 512 seconds. If the type flag is set, and the lock-time is set to 16 units, the input will be locked until 16 * 512 seconds have elapsed.

Transactions made by Bitcoin Core, by default, have the sequence_no of each input set to 0xFFFFFFFE. This enables nLocktime to discourage fee sniping as described above, and disables Replace-By-Fee. Replace-By-Fee transactions typically have the sequence_no of each input set to 0xFFFFFFFD. It’s worth noting at this point that RBF is not a protocol change, only a change in default mining policy. However, because nSequence locks require that the sequence_no field be set lower than 0xFFFFFFFD to be meaningful, all nSequence locked transactions are opting into RBF.

nSequence examples:

# Most of the transaction is omitted. Using decimal for human readability.
# Using hex for sequence numbers due to the presence of flags.
# This transaction is locked for 4096 second. Just over 1 hour.
    sequence_no: 0x00400008
    # Disable flag is not set, type flag is set. Input locked for 8 * 512 seconds.
# This transaction is not nSequence locked, but may be nLocktime locked, and allows RBF.
    sequence_no: 0xFEDC3210
    # Disable flag is set. nSequence locking disabled.
# This transaction is invalid until 16 blocks have elapsed since input_1's prevout confirms.
    sequence_no: 0x00000010  
    # Disable flag is not set, type flag not set. This input locked for 16 blocks.
    sequence_no: 0xFFFFFFFF  
    # Disable flag is set.
# This transaction is not time locked, but has opted to allow Replace-By-Fee.
  lock_time: 0
    sequence_no: 0xFFFFFFFE  
    # nSequence is disabled, nLocktime is enabled, RBF is not signaled.
    sequence_no: 0xFFFFFFFD  
    # nSequence is disabled, nLocktime is enabled, RBF is signaled.
# This transaction is not valid until block 506221
# It is also not valid until 87040 seconds have passed since the confirmation of input_1's previous output
  lock_time: 506221
    sequence_no: 0x004000AA




OP_CHECKLOCKTIMEVERIFY (OP_CLTV) is the script-level absolute time lock. It was detailed in BIP 65 and softforked into mainnet in late 2015. OP_CLTV enabled hashed timelocked contracts and as such was a hard requirement for the first version of Lightning channels.

Its source is simple and elegant, comprising less than 20 lines of clean, superbly-commented code. Put simply: OP_CLTV compares the top item of the stack to the transaction’s nLocktime. It checks that the top item of the stack is a valid time in seconds or blocks, and that the transaction itself is locked for at least that long via an appropriate lock_time. In this way, OP_CLTV checks that the transacion can’t be confirmed before a certain time.

OP_CHECKLOCKTIMEVERIFY causes script evaluation to fail immediately in the following five situations:

  1. The stack is empty (i.e. there’s no target time specified for OP_CLTV to check).
  2. The top stack item is less than 0 (negative time locks don’t make sense).
  3. The nLocktime is measured in blocks, and the top stack item uses seconds, or vice versa (apples and oranges).
  4. The top stack item is greater than the transaction’s lock_time (not enough time has passed).
  5. The nSequence field of this input is set to 0xFFFFFFFF (timelock might be disabled).

OP_CLTV replaces OP_NOP2, which (as you might expect) did nothing. Designing OP_CLTV to replace OP_NOP2 as a softfork provided an interesting constraint: OP_CLTV must leave the stack exactly as it found it. Because of this OP_CLTV reads a stack item, but does not consume a stack item. It checks the time lock, but then leaves the target time on the stack. As such, it is almost always followed by OP_DROP, which drops the top stack item.

Comparing the lock time specified in the script to the lock time of the transaction is a wonderfully clever implementation because the time is checked only indirectly. It passes enforcement to the nLocktime consensus rules while still allowing scipts to specify multiple different time-locked conditions. It allows scriptsig validity to be checked at any time and cached. The The downside is that if OP_CLTV is used in the script, lock_time must be specified in the spending transaction, and a sequence_no less than 0xFFFFFFFF must be present in the input. This can be counterintuitive for new developers, so keep this in mind.

OP_CLTV examples:

# Most of the transaction is omitted. Using decimal for human readability.
# Using hex for sequence numbers due to the presence of flags.
# Anyone can spend, at or after block 506391
  lock_time: 506391
    sequence_no: 0xFFFFFFFE
# This transaction is invalid:
# The lock_time is in blocks, and the CLTV is in seconds
# The sequence_no is 0xFFFFFFFF
  lock_time: 506391
    sequence_no: 0xFFFFFFFF
# This transaction is invalid
# The top stack item is greater than the lock_time
  lock_time: 506391
    sequence_no: 0xFFFFFFFE
# This transaction is valid at block 512462, but only if at least 32 * 512 seconds have passed since its previous output confirmed.
# A separate transaction could be constructed to spend the coins between 506391 and 512462
  lock_time: 512462
    sequence_no: 0x00400020
# This transaction becomes valid at block 506321
# The script allows an alternate execution path using 2-of-2 multisig.
# A separate transaction can be created that will not be time locked.
  lock_time: 506321
    sequence_no: 0xFFFFFFFE
        OP_2 <pubkey_1> <pubkey_2> OP_2 OP_CHECKMULTISIG
# This is a variation of an HTLC.
# This transaction is valid at block 507381 assuming:
# 1. The secret for input_2's script matches the expected secret hash
# 2. Valid signatures and pubkeys are provided for input_2
# 3. input_2's nSequence time-lock is respected.
  lock_time: 507381
    sequence_no: 0xFFFFFFFE
    sequence_no: 0x000000A0
      <signature> <pubkey> <secret>
      OP_HASH160 <secret hash> OP_EQUALVERIFY

OP_CHECKSEQUENCEVERIFY (OP_CSV) is the script-level relative time lock. It was described in BIP 112 and softforked in along with nSequence and MTP measurement in mid-2016.

Functionally, OP_CSV is extremely similar to OP_CLTV. Rather than checking the time, it compares the top stack item to the input’s sequence_no field. OP_CSV parses stack items the same way nSequence interprets lock-times. It respects nSequence’s disable flag and type flag, and reads 16-bit lock duration specifications from the last 16 bits of the stack item. OP_CSV errors if:

  1. The stack is empty (there’s no lock time specified).
  2. The top stack item is less than 0 (negative time is silly).
  3. The top stack item’s disable flag is not set and at least one of the following is true:
  • The transaction version is less than 2 (transaction does not signal OP_CSV compatibility).
  • The input’s sequence_no disable flag is set, (relative locktime is disabled).
  • The input’s sequence_no and top stack item’s type flags are not the same (not using the same metric).
  • The top stack item’s 16-bit duration is longer than the duration found in the input’s sequence_no field (not enough time has elapsed).

OP_CSV replaces OP_NOP3, and (like OP_CLTV) must leave the stack unmodified when it executes to maintain compatibility with older clients. It reads the top stack item, but does not consume it. So again it is often paired with OP_DROP. If the disable flag of the top stack item is set OP_CSV behaves as OP_NOP3.

As described earlier when discussing relative lock-times, OP_CSV is an amazing tool for stringing together chains of transactions. If we used OP_CLTV instead, the entire transaction chain would have an absolute expiration date. OP_CSV allows us to set an expiration date relative to the first broadcast transaction. So a chain of transactions can be made and stored indefinitely while maintaining time lock guarantees.

Transactions, once confirmed, cannot be revoked without a chain re-org. But chaining transactions via OP_CSV relative lock-times allows us to create script evaluation paths that almost provide that feature by creating mutually-exclusive future paths. Using OP_IF, we can construct multiple transactions spending the same previous output (which may itself be from an un-confirmed transaction), and ensure that one has a relative time-lock. Then, if the locked version be broadcast during its timelock, the unlocked version will confirm first and spend the coins. This means that we can give certain transactions priority over others, and control the execution of complex smart contracts. The Lightning network makes extensive use of this.

OP_CSV examples

# Most of the transaction is omitted. Using decimal for human readability.
# Using hex for sequence numbers due to the presence of flags.
# Anyone can spend, 255 blocks after the previous output confifrms.
  lock_time: 0
    sequence_no: 0x000000FF
# Anyone can spend, so long as both of the following are true:
# a) 16,384 seconds have passed since input_1's previous output was confirmed
# b) 255 blocks have passed since input_2's previous output was confirmed
  lock_time: 0
    sequence_no: 0x00400020
    sequence_no: 0x000000FF
# Anyone can spend, so long as 256 blocks have passed since input_1's previous output.
# Note that a separate transaction can be created to spend these coins.
# The alternate path would specify a lock_time of at least 506321.
# The script allows either an absolute or relative time lock, whichever is shorter.
  lock_time: 0
    sequence_no: 0x00000100
# This transaction is invalid until 1/1/2020,
# AND until 31457280 seconds after the previous output confirmed.
# It also specifies a single approved spender by their pubkey.
  lock_time: 1577836800
    sequence_no: 0x0004F000  # type flag is set
      <signature> <pubkey>
      OP_DUP OP_HASH160 <pubkey hash> OP_EQUALVERIFY
# This transaction is invalid 3 ways:
# 1) input_1's script fails because the stack item's 16-bit lock duration is greater than specified in the sequence_no.
# 2) input_2's script fails because the sequence_no's type flag is not set, while the stack item's type flag is set.
# 3) input_3's script fails because the stack is not empty at the end.
  lock_time: 0
    sequence_no: 0x0004F000
    sequence_no: 0x0000FFFF
    sequence_no: 0x00000001
      0x00000001 OP_CHECKSEQUENCEVERIFYReview

Bitcoin’s time locks are powerful tools, but can be confusing. Here’s a quick list of important things to remember:

  • OPs go in scripts.
  • “Locktime” means absolute.
  • “Sequence” means relative.
  • All time locks can do blocks or seconds, but they have different ways of signalling.
  • Don’t accidentally lock things for centuries.
  • Script-level time locks need a transaction-level lock of the same type in the spending tx.

Further Reading


from: https://medium.com/summa-technology/bitcoins-time-locks-27e0c362d7a1




Research: $20 Billion Raised Through ICOs Since 2017

Initial Coin Offerings (ICOs) have raised $20 billion since the start of 2017, which is $18 billion more than the previous year, according to a recent study by financial research firm Autonomous Research. The study dubbed “Crypto Utopia” explores the cryptocurrency industry over the past year, focusing on ICOs and the regulation to which they are exposed.

Per the study, $12 billion has been raised through ICOs in the course of 2018, while last year they raised $7 billion. The ICOs of blockchain protocol EOS and messaging app Telegram are responsible for almost half of all ICO funds in 2018 at $4.2 billion and $1.7 billion, respectively.

Though over 300 crypto funds have been launched to invest in crypto assets, a vast majority of funds are concentrated within a small minority of organizations, according to Autonomous.

The research notes that ICOs are often exposed to fraud and scams, which form 20 percent of project white papers, while phishing and hacking are responsible for stealing 15 percent of all crypto assets by market capitalization. More than 50 percent of ICOs have failed to raise funds and subsequently have closed.

2017 saw over $7 billion of investment flow into ICOs, which is fourfold greater that equity investment in crypto companies. Many ICOs were purportedly launched to take advantage of the “goldrush,” subsequently resulting in quality and regulatory concerns regarding tokens.

Price performance for the top 200 liquid coins during the last 1.5 years has reportedly demonstrated an unprecedented surge, from 10 to 1 million percent. The authors of the study suggest that such a performance shows exponential software-like growth for digital currencies.

The study states that  venture and trading funds are “the most numerous and hold the most assets under management.”

Another study by Autonomous Research published last month stated that funding in ICOs has seen its hardest slump in 16 months, stating that in August startups raised $326 million, which is the smallest amount since May 2017.

In August, ICORating published a study showing that the ICO market more than doubled in a year. ICOs in Q1–2 2018 had already raised over $11 billion in investments, a figure which it purports is ten times larger than the sum of investments from ICOs in Q1–2 2017.

from: https://cointelegraph.com/news/research-20-billion-raised-through-icos-since-2017

MOBI Blockchain Grand Mobility Challenge: From October To Showcase Demo In Feburary 2019

The MOBI Grand Challenge intends to develop “the first viable” blockchain-powered network of vehicles and system to coordinate machines, provide data sharing, as well as to improve the level of mobility in urban conditions.


The Mobility Open Blockchain Initiative (MOBI), and the Trusted IoT Alliance (TIoTA) have launched a tournament for blockchain applications in vehicles, according to an official press release published Oct. 10.

The new tournament entitled MOBI Grand Challenge reportedly intends to develop “the first viable” blockchain-powered network of vehicles and system to coordinate machines, provide data sharing, as well as to improve the level of mobility in urban conditions.

The three-year blockchain challenge, which plans to award winners with over $1 million dollars worth of tokens, will cover a number of events, and invites entrants to participate online globally.

The MOBI Grand Challenge will begin Oct. 12 with the first four-month challenge to showcase “potential uses of blockchain in coordinating vehicle movement and improving transportation in urban environments.”

Selected technologies from the first challenge will be demonstrated at an event hosted by MOBI community member BMW Group in Munich, Germany in February 2019.

The outcomes found in the first series of the MOBI Grand Challenge will be used as basis to create the next challenges of the three-year tournament.

According to the press release, the winners of the first challenge will be granted $350,000 worth of awards in a number of categories, including $250,000 worth of tokens by Beyond Protocol, and $100,000 worth of tokens by Ocean Protocol.

Ocean Protocol is a blockchain-based data exchange protocol that has committed a prize of $1 million dollars in tokens to the MOBI Grand Challenge. Beyond Protocol is a Silicon Valley-based firm that is applying distributed ledger technology (DLT) to secure Internet of Things (IoT) devices. The firm has committed $250,000 worth of tokens to be used on its protocol network.

Zaki Manian, Executive Director of the Trusted IoT Alliance and a member of MOBI’s Board of Advisors, stated that mobility is a “breakout” IoT industry direction for blockchain. According to Manian, just a “small percentage of companies have completed end-to-end proof of concepts in this area,” so the new tournament intends to “fill this gap.”

In May 2018, four leading global vehicle suppliers BMW, GM, Ford, and Renault launched a jointed blockchain platform aiming to “change transportation.” The joint effort aims to address mobility issues, making it “safer, greener, and more affordable” by using blockchain technology.

In March, Cointelegraph reported that major American car manufacturer Ford patented a system for vehicle-to-vehicle communication methods via exchange of crypto tokens in order to facilitate traffic flow.



Air France-KLM Wants Blockchain To Cut Out Middlemen

It is just some Ethereum-derivative, not actual Blockchain technology –
but it does indicate the major shift from middlemen to a different consensus model in business.


On Wednesday, October 3, one of the world’s largest airlines, Air France-KLM, announced its partnership with Winding Tree, a “blockchain-powered decentralized travel ecosystem.” Through this agreement, the airline aims to provide customers with “more advantageous travel offer[s],” such as a wide range of flight and hotel options, as well as travel solutions to better suit customers’ needs.

Air France-KLM asserts that travel suppliers would profit from blockchain technology because fewer intermediaries, such as travel agencies and tourism package distributors, would be required.

Sonia Barrière, executive vice president of strategy and innovation at Air France-KLM, expressed her enthusiasm for the partnership:

“Air France-KLM is constantly creating the future of travel and devising solutions to make the travel experience easier and more personalized. With blockchain technology, we aim to revolutionize exchanges within the travel industry for our customers, companies and start-ups.”

Although the company has not identified specific projects in the pipeline, Barrière said that it is one of the first airlines to work with Winding Tree on blockchain-based travel solutions. Air France-KLM will also test Winding Tree’s technological developments and provide the organization with feedback.

Speaking more broadly, the travel industry is no stranger to blockchain technology. In July, Singapore Airlines launched a blockchain-based digital wallet as part of the company’s loyalty program. With this wallet, customers can accrue air miles to use at partner merchants across Singapore.

In August, Russia’s Siberian Airlines announced it had developed a blockchain-based system in partnership with Gazpromneft-Aero, an arm of the energy company Gazprom. This system reportedly improves the speed and efficiency of the aviation refueling process.


from: https://www.ethnews.com/major-european-airline-wants-blockchain-to-cut-out-middlemen




US DoJ Charges 7 Russian Intelligence Officers With Crypto-Funded Hacking Attacks

Using the same IP for Bitcoin mining and transactions AND as an identifiable source of hacks DOES frequently allow to point the finger at the correct individuals (and their employers, obviously).

The U.S. Department of Justice (DoJ) has charged seven officers from Russia’s Main Intelligence Directorate (GRU) with cryptocurrency-funded global hacking and related disinformation operations. The indictment was filed by the grand jury at the Western District of Pennsylvania October 3.

The defendants, all of whom are alleged to work for the GRU — a military intelligence agency of the General Staff of the Armed Forces of the Russian Federation — have been charged on multiple counts for alleged “computer hacking, wire fraud, identity theft, and money laundering,” according to a DoJ press release published October 4.

The group is said to belong to a hack team known as “Fancy Bear,” and the indictment contains charges dating back as early as 2014.

According to the indictment, in order to “facilitate the purchase of infrastructure used in their hacking activity […] [the defendants] conspired to launder money through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin.”

The document alleges that the use of Bitcoin (BTC) “allow[ed] the conspirators to avoid direct relationships with traditional financial institutions,” enabling them to further dissimulate their identities and sources of funds.

The defendants are further alleged to have created “hundreds of different email accounts” in order to “avoid creating a centralized paper trail of all their purchases.” Several of these accounts are said to have been dedicated to tracking Bitcoin transaction information and facilitating Bitcoin payments to vendors.

The indictment also charged the defendants with funding their activities through Bitcoin mining:

“The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a United States-based company to register the [phishing] domain wada-arna.org through a payment processing company located in the United States. The conspirators used the same funding structure—and in some cases, the very same pool of funds—to purchase key accounts, servers, and domains used in their anti-doping related hacking activity.”

This latter reference to anti-doping related hacking activity refers to the DoJ’s charge that Fancy Bear conspired to steal data from 250 international athletes, as well as anti-doping agencies across the world. These attacks are alleged to have been in retaliation for the banning of Russian athletes from the 2018 Olympics, following suspicions of a state-sponsored doping program.

Although these specific charges are not part of the Robert Mueller investigation into alleged Russian interference in the 2016 U.S. elections, notably three of the seven officials named by the DoJ in this indictment have also been named in the Mueller investigation.

As previously reported, this July the DoJ charged twelve individuals from two units of the GRU with using crypto – allegedly either mined or obtained by “other means” – to fuel efforts to hack into computer networks associated with the Democratic Party, Hillary Clinton’s presidential campaign, and U.S. elections-related state boards and technology firms.


from: https://cointelegraph.com/news/us-doj-charges-7-russian-intelligence-officers-with-crypto-funded-hacking-attacks




A Multi-Million Dollar Bet Ethereum’s Proof-of-Stake Isn’t Coming Soon

“I don’t know if [ethereum] will or will not switch to proof-of-stake. Proof-of-stake has a lot of problems.”
Several mining companies have invested millions in building specialized mining chips for ethereum,
machinery that will only function as long as the network pays out new cryptocurrency
to those who dedicate computing hardware to the effort.


What if ethereum never switches its core consensus algorithm?

It’s an idea that may sound blasphemous to developers building the world’s second-largest blockchain, where plans have long been laid for a transition away from bitcoin’s proof-of-work model to a more egalitarian alternative. Yet, entrepreneurs appear to be betting that between now and that bright future, a small fortune might be waiting.

Already, several mining companies have invested millions in building specialized mining chips for ethereum, machinery that will only function as long as the network pays out new cryptocurrency to those who dedicate computing hardware to the effort.

One such investor is Chen Min, CEO and founder of Linzhi, a Shenzhen-based, startup that has spent $4 million in pursuit of designing the fastest specialized mining chip, or ASIC, for ethereum. An industry veteran, Chen was previously the lead ASIC designer at Canaan Creative, one of three (largely bitcoin-focused) mining firms that have dominated the production of crypto hardware over the last decade.

However, she’s since departed to try her hand in making machinery for ethereum, already investing amply in the goal.

The cost to get to first silicon and sample machines is roughly $4 million. Additionally we have our ongoing cost of operations, salaries, office, which are all modest, lean and efficient,” Chen said.

Announced in September, Linzhi’s ASIC promises to overtake previous ethereum ASIC designs, featuring high improvements to energy efficiency and computing power. Still, the mining chip will only function on ethereum if the blockchain keeps its current code-base.

But Chen isn’t too concerned.

“I don’t know if [ethereum] will or will not switch to proof-of-stake,” she told CoinDesk. “Proof-of-stake has a lot of problems.”

Evidence exists that Linzhi isn’t alone in this position. As detailed in CoinDesk, mining giant Bitmain released its ethereum miner, the Antminer E3, back in March, while Innosocilion announced three ethereum miners in July.

While Chen recognizes the inherent risk of introducing an ASIC in such an unpredictable environment, she told CoinDesk:

“The information is open, we are not hiding that risk. Our customer can decide to buy or not.”

High-risk climate

Also backing Chen’s conviction is the idea that proof-of-work is simply a better system for managing the distribution of cryptocurrency rewards. In this way, Chen described a possible proof-of-stake switch as “not a smart thing.”

“There are so many people, so many users, developers and hardware invested in that coin. If they ignore the work that has been done and switch to proof-of-stake, maybe later they can also ignore your stake and switch to proof-of-some other idea,” Chen said.

But there’s other risks facing ASIC mining on ethereum as well.

At a core developer call last week, the engineers behind ProgPoW – a proposal that would change the code to only allow GPU miners as an alternative to ASICs were in attendance. Though still in the proposal stage, if executed, ProgPoW would effectively disable ASICs from mining on ethereum – and momentum is building toward the implementation.

Chen, however, argued that such ideas are little more than knee-jerk reactions, ones that don’t actually provide solutions to some of the concerns about how ether rewards are distributed in the community at large.

“ProgPoW is being pushed by large farms that have not disclosed their real intentions,” Chen said, adding:

“The fear of Bitmain is driving the [ethereum] community into the arms of some very powerful well-funded farms that they don’t even know about.”

Kristy-Leigh Minehan, a leading developer behind the ProgPoW switch, pushed back against this claim, arguing that “large-scale GPU farms don’t really exist.” In a sense, Minehan is making the case that GPUs can promote a larger number of participants in securing ethereum, something she argues ASICs, due to their cost and operational requirements, cannot.

Benefits to hardware

More broadly, the push for ProgPoW is typical of what has been termed crypto’s “war on miners,” in which several cryptocurrencies have moved to remove ASIC hardware manufacturers from their respective networks.

Yet according to Chen, much of the conversation about removing ASICs from ethereum lacks an awareness of the kind of advantages specialized hardware can bring to a cryptocurrency project.

“Our chip is optimized, specialized for ethereum, not only for mining, but also for verification and node operation, so I’m very curious about why people think it is wrong,” Chen told CoinDesk.

Chen added that specialized hardware is often condemned on moral, not rational, scientific grounds.

Pointing to scaling challenges faced by ethereum, Chen theorized that advancements in mining hardware could even help ethereum overcome its current concerns about scaling to more people and more transactions.

“[Ethereum] is still so far away from the traditional banking system. I think hardware can contribute,” she said.

In her mind, because ASICs will be able to mine ethereum faster and more efficiently, they will be able to process more transactions at a faster pace. “If we have a fast enough physical layer,” the community won’t have to rely on complex software scaling solutions, such as sharding, she argued.

Chen depicted Linzhi as deeply interested in participating in and assisting with the improvement of the ethereum protocol.

Indeed, pointing to a recent proposal by ethereum founder Vitalik Buterin that offers a scaling method based on hardware running zk-snarks, Chen said that Linzhi would be capable of producing such hardware in the future, although it’s not on their roadmap.

Last resort

All in all, it’s the latest sign that a larger argument is being had about how ethereum will secure its $22 billion blockchain. However, that argument may not break from the original roadmap anytime soon.

Speaking to CoinDesk, Hudson Jameson, a communications officers for the Ethereum Foundation, said he was unaware of any ASIC advocates in the ethereum developer community who might protest the plan to switch to proof-of-stake.

Much of the movement stems from the idea that the presence of ASICs optimized to only run one particular algorithm could interfere with a smooth transition to proof-of-stake, now dubbed “Shasper” due to its fusion with scaling method, sharding.

“That’s the entire reason ProgPoW was created: to ensure [ethereum] could transition safely over to [proof-of-stake] without larger parties like Bitmain manipulating the coin and the price,” Minehan told CoinDesk.

Still, Chen didn’t express too much concern in this regard, emphasizing that such efforts are still very much within “the proposal state.”

Irrespective, Chen urged that in the event of ProgPoW or proof-of-stake, Linzhi will switch to mining ethereum classic, a rival ethereum platform that split away from the blockchain in 2016, and that traditionally been more friendly to ASIC hardware.

She told CoinDesk:

“We would like to reduce the power consumed to secure [ethereum], but if they want to stick with wasteful GPUs run by two companies and powerful secret farming concerns, then we will just press on with [ethereum classic].”


from: https://www.coindesk.com/momentum-is-building-to-block-ethereum-asics/




[UPDATED] China Snuck A Tiny Microchip Inside US Top Secret Servers Used By The DoD And CIA — NSA Struggles To Assess Risk

You find all relevant reporting on the matter on this page;
including the implant built into the server’s Ethernet connector at a US Telecom company.]


The Chinese military surreptitiously inserted tiny microchips no larger than single grains of rice into servers on local assembly lines in order to gain access to data networks run by U.S. government agencies ranging from the Department of Defense to the Central Intelligence Agency, according to an explosive investigation from Bloomberg.

  • A three-year investigation by U.S. government officials found that servers assembled for startup Elemental Technologies by San Jose-based company Supermicro reportedly contained tiny microchips “inserted at factories run by manufacturing subcontractors in China,” Bloomberg reported.
  • The chips, independently discovered by engineers at Amazon and Apple in 2015, purportedly allowed hackers to “create a stealth doorway into any network that included the altered machines,” per Bloomberg, a Trojan horse that gave hackers a direct line into any sensitive network.
  • Elemental servers assembled by Supermicro are “found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships,” per Bloomberg, and the revelation prompted DoD officials at the time to request a small group of technologists “to think about creating commercial products that could detect hardware implants.”
  • “Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing,” Bloomberg reports. “NASA, both houses of Congress, and the Department of Homeland Security have also been customers.”
  • News of the years-long infiltration of secure networks through the lowest levels of the global industrial supply chain  — China still manufactures the majority of the raw tech behind the world’s mobile phones and personal computers — reflects not just a coup for the Chinese intelligence community, but an alarming vulnerability of the U.S. industrial base.
  • Technologist Joe Grand put it best in an interview with Bloomberg: “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow … Hardware is just so far off the radar, it’s almost treated like black magic.”

August Cole, a coauthor of the novel “Ghost Fleet” — which features an eerily similar scenario involving Chinese chips hidden inside an F-35 that ruin its stealth capabilities, wrote on Twitter, “Hey Siri, what is my #ghostfleet moment of the day?”

from: https://taskandpurpose.com/china-hacking-microchips-dod-cia/


The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.



In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. Based in Portland, Ore., Elemental made software for compressing massive video files and formatting them for different devices. Its technology had helped stream the Olympic Games online, communicate with the International Space Station, and funnel drone footage to the Central Intelligence Agency. Elemental’s national security contracts weren’t the main reason for the proposed acquisition, but they fit nicely with Amazon’s government businesses, such as the highly secure cloud that Amazon Web Services (AWS) was building for the CIA.

To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

There are two ways for spies to alter the guts of computer equipment. One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden. The other method involves seeding changes from the very beginning.

One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”

But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

In emailed statements, Amazon (which announced its acquisition of Elemental in September 2015), Apple, and Supermicro disputed summaries of Bloomberg Businessweek’s reporting. “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote. “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote. “We remain unaware of any such investigation,” wrote a spokesman for Supermicro, Perry Hayes. The Chinese government didn’t directly address questions about manipulation of Supermicro servers, issuing a statement that read, in part, “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.” The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment.

The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

The ramifications of the attack continue to play out. The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result. Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.

How the Hack Worked, According to U.S. Officials


Back in 2006, three engineers in Oregon had a clever idea. Demand for mobile video was about to explode, and they predicted that broadcasters would be desperate to transform programs designed to fit TV screens into the various formats needed for viewing on smartphones, laptops, and other devices. To meet the anticipated demand, the engineers started Elemental Technologies, assembling what one former adviser to the company calls a genius team to write code that would adapt the superfast graphics chips being produced for high-end video-gaming machines. The resulting software dramatically reduced the time it took to process large video files. Elemental then loaded the software onto custom-built servers emblazoned with its leprechaun-green logos.

Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company. Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.

Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government. Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.

Supermicro had been an obvious choice to build Elemental’s servers. Headquartered north of San Jose’s airport, up a smoggy stretch of Interstate 880, the company was founded by Charles Liang, a Taiwanese engineer who attended graduate school in Texas and then moved west to start Supermicro with his wife in 1993. Silicon Valley was then embracing outsourcing, forging a pathway from Taiwanese, and later Chinese, factories to American consumers, and Liang added a comforting advantage: Supermicro’s motherboards would be engineered mostly in San Jose, close to the company’s biggest clients, even if the products were manufactured overseas.

Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

The company’s pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. The majority of its workforce in San Jose is Taiwanese or Chinese, and Mandarin is the preferred language, with hanzi filling the whiteboards, according to six former employees. Chinese pastries are delivered every week, and many routine calls are done twice, once for English-only workers and again in Mandarin. The latter are more productive, according to people who’ve been on both. These overseas ties, especially the widespread use of Mandarin, would have made it easier for China to gain an understanding of Supermicro’s operations and potentially to infiltrate the company. (A U.S. official says the government’s probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack.)

With more than 900 customers in 100 countries by 2015, Supermicro offered inroads to a bountiful collection of sensitive targets. “Think of Supermicro as the Microsoft of the hardware world,” says a former U.S. intelligence official who’s studied Supermicro and its business model. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

Well before evidence of the attack surfaced inside the networks of U.S. companies, American intelligence sources were reporting that China’s spies had plans to introduce malicious microchips into the supply chain. The sources weren’t specific, according to a person familiar with the information they provided, and millions of motherboards are shipped into the U.S. annually. But in the first half of 2014, a different person briefed on high-level discussions says, intelligence officials went to the White House with something more concrete: China’s military was preparing to insert the chips into Supermicro motherboards bound for U.S. companies.

The specificity of the information was remarkable, but so were the challenges it posed. Issuing a broad warning to Supermicro’s customers could have crippled the company, a major American hardware maker, and it wasn’t clear from the intelligence whom the operation was targeting or what its ultimate aims were. Plus, without confirmation that anyone had been attacked, the FBI was limited in how it could respond. The White House requested periodic updates as information came in, the person familiar with the discussions says.

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally. Government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one U.S. official. This created an invaluable opportunity for intelligence agencies and the FBI—by then running a full investigation led by its cyber- and counterintelligence teams—to see what the chips looked like and how they worked.

The chips on Elemental servers were designed to be as inconspicuous as possible, according to one person who saw a detailed report prepared for Amazon by its third-party security contractor, as well as a second person who saw digital photos and X-ray images of the chips incorporated into a later report prepared by Amazon’s security team. Gray or off-white in color, they looked more like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.

Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. “Hardware attacks are about access,” as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity. “The hardware opens whatever door it wants,” says Joe FitzPatrick, founder of Hardware Security Resources LLC, a company that trains cybersecurity professionals in hardware hacking techniques.

U.S. officials had caught China experimenting with hardware tampering before, but they’d never seen anything of this scale and ambition. The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet. What remained for investigators to learn was how the attackers had so thoroughly infiltrated Supermicro’s production process—and how many doors they’d opened into American targets.

Unlike software-based hacks, hardware manipulation creates a real-world trail. Components leave a wake of shipping manifests and invoices. Boards have serial numbers that trace to specific factories. To track the corrupted chips to their source, U.S. intelligence agencies began following Supermicro’s serpentine supply chain in reverse, a person briefed on evidence gathered during the probe says.

As recently as 2016, according to DigiTimes, a news site specializing in supply chain research, Supermicro had three primary manufacturers constructing its motherboards, two headquartered in Taiwan and one in Shanghai. When such suppliers are choked with big orders, they sometimes parcel out work to subcontractors. In order to get further down the trail, U.S. spy agencies drew on the prodigious tools at their disposal. They sifted through communications intercepts, tapped informants in Taiwan and China, even tracked key individuals through their phones, according to the person briefed on evidence gathered during the probe. Eventually, that person says, they traced the malicious chips to four subcontracting factories that had been building Supermicro motherboards for at least two years.

As the agents monitored interactions among Chinese officials, motherboard manufacturers, and middlemen, they glimpsed how the seeding process worked. In some cases, plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.

The investigators concluded that this intricate scheme was the work of a People’s Liberation Army unit specializing in hardware attacks, according to two people briefed on its activities. The existence of this group has never been revealed before, but one official says, “We’ve been tracking these guys for longer than we’d like to admit.” The unit is believed to focus on high-priority targets, including advanced commercial technology and the computers of rival militaries. In past attacks, it targeted the designs for high-performance computer chips and computing systems of large U.S. internet providers.

Provided details of Businessweek’s reporting, China’s Ministry of Foreign Affairs sent a statement that said “China is a resolute defender of cybersecurity.” The ministry added that in 2011, China proposed international guarantees on hardware security along with other members of the Shanghai Cooperation Organization, a regional security body. The statement concluded, “We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.”

The Supermicro attack was on another order entirely from earlier episodes attributed to the PLA. It threatened to have reached a dizzying array of end users, with some vital ones in the mix. Apple, for its part, has used Supermicro hardware in its data centers sporadically for years, but the relationship intensified after 2013, when Apple acquired a startup called Topsy Labs, which created superfast technology for indexing and searching vast troves of internet content. By 2014, the startup was put to work building small data centers in or near major global cities. This project, known internally as Ledbelly, was designed to make the search function for Apple’s voice assistant, Siri, faster, according to the three senior Apple insiders.

Documents seen by Businessweek show that in 2014, Apple planned to order more than 6,000 Supermicro servers for installation in 17 locations, including Amsterdam, Chicago, Hong Kong, Los Angeles, New York, San Jose, Singapore, and Tokyo, plus 4,000 servers for its existing North Carolina and Oregon data centers. Those orders were supposed to double, to 20,000, by 2015. Ledbelly made Apple an important Supermicro customer at the exact same time the PLA was found to be manipulating the vendor’s hardware.

Project delays and early performance problems meant that around 7,000 Supermicro servers were humming in Apple’s network by the time the company’s security team found the added chips. Because Apple didn’t, according to a U.S. official, provide government investigators with access to its facilities or the tampered hardware, the extent of the attack there remained outside their view.


Microchips found on altered motherboards in some cases looked like signal conditioning couplers.
Photographer: Victor Prado for Bloomberg Businessweek


American investigators eventually figured out who else had been hit. Since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected. Although the investigators couldn’t be sure they’d found every victim, a person familiar with the U.S. probe says they ultimately concluded that the number was almost 30 companies.

That left the question of whom to notify and how. U.S. officials had been warning for years that hardware made by two Chinese telecommunications giants, Huawei Corp. and ZTE Corp., was subject to Chinese government manipulation. (Both Huawei and ZTE have said no such tampering has occurred.) But a similar public alert regarding a U.S. company was out of the question. Instead, officials reached out to a small number of important Supermicro customers. One executive of a large web-hosting company says the message he took away from the exchange was clear: Supermicro’s hardware couldn’t be trusted. “That’s been the nudge to everyone—get that crap out,” the person says.

Amazon, for its part, began acquisition talks with an Elemental competitor, but according to one person familiar with Amazon’s deliberations, it reversed course in the summer of 2015 after learning that Elemental’s board was nearing a deal with another buyer. Amazon announced its acquisition of Elemental in September 2015, in a transaction whose value one person familiar with the deal places at $350 million. Multiple sources say that Amazon intended to move Elemental’s software to AWS’s cloud, whose chips, motherboards, and servers are typically designed in-house and built by factories that Amazon contracts from directly.

A notable exception was AWS’s data centers inside China, which were filled with Supermicro-built servers, according to two people with knowledge of AWS’s operations there. Mindful of the Elemental findings, Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says. (Amazon denies that AWS knew of servers found in China containing malicious chips.)

China has long been known to monitor banks, manufacturers, and ordinary citizens on its own soil, and the main customers of AWS’s China cloud were domestic companies or foreign entities with operations there. Still, the fact that the country appeared to be conducting those operations inside Amazon’s cloud presented the company with a Gordian knot. Its security team determined that it would be difficult to quietly remove the equipment and that, even if they could devise a way, doing so would alert the attackers that the chips had been found, according to a person familiar with the company’s probe. Instead, the team developed a method of monitoring the chips. In the ensuing months, they detected brief check-in communications between the attackers and the sabotaged servers but didn’t see any attempts to remove data. That likely meant either that the attackers were saving the chips for a later operation or that they’d infiltrated other parts of the network before the monitoring began. Neither possibility was reassuring.

When in 2016 the Chinese government was about to pass a new cybersecurity law—seen by many outside the country as a pretext to give authorities wider access to sensitive data—Amazon decided to act, the person familiar with the company’s probe says. In August it transferred operational control of its Beijing data center to its local partner, Beijing Sinnet, a move the companies said was needed to comply with the incoming law. The following November, Amazon sold the entire infrastructure to Beijing Sinnet for about $300 million. The person familiar with Amazon’s probe casts the sale as a choice to “hack off the diseased limb.”

As for Apple, one of the three senior insiders says that in the summer of 2015, a few weeks after it identified the malicious chips, the company started removing all Supermicro servers from its data centers, a process Apple referred to internally as “going to zero.” Every Supermicro server, all 7,000 or so, was replaced in a matter of weeks, the senior insider says. (Apple denies that any servers were removed.) In 2016, Apple informed Supermicro that it was severing their relationship entirely—a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident.

That August, Supermicro’s CEO, Liang, revealed that the company had lost two major customers. Although he didn’t name them, one was later identified in news reports as Apple. He blamed competition, but his explanation was vague. “When customers asked for lower price, our people did not respond quickly enough,” he said on a conference call with analysts. Hayes, the Supermicro spokesman, says the company has never been notified of the existence of malicious chips on its motherboards by either customers or U.S. law enforcement.

Concurrent with the illicit chips’ discovery in 2015 and the unfolding investigation, Supermicro has been plagued by an accounting problem, which the company characterizes as an issue related to the timing of certain revenue recognition. After missing two deadlines to file quarterly and annual reports required by regulators, Supermicro was delisted from the Nasdaq on Aug. 23 of this year. It marked an extraordinary stumble for a company whose annual revenue had risen sharply in the previous four years, from a reported $1.5 billion in 2014 to a projected $3.2 billion this year.

One Friday in late September 2015, President Barack Obama and Chinese President Xi Jinping appeared together at the White House for an hourlong press conference headlined by a landmark deal on cybersecurity. After months of negotiations, the U.S. had extracted from China a grand promise: It would no longer support the theft by hackers of U.S. intellectual property to benefit Chinese companies. Left out of those pronouncements, according to a person familiar with discussions among senior officials across the U.S. government, was the White House’s deep concern that China was willing to offer this concession because it was already developing far more advanced and surreptitious forms of hacking founded on its near monopoly of the technology supply chain.

In the weeks after the agreement was announced, the U.S. government quietly raised the alarm with several dozen tech executives and investors at a small, invite-only meeting in McLean, Va., organized by the Pentagon. According to someone who was present, Defense Department officials briefed the technologists on a recent attack and asked them to think about creating commercial products that could detect hardware implants. Attendees weren’t told the name of the hardware maker involved, but it was clear to at least some in the room that it was Supermicro, the person says.

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”



from: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies



‘We Have No Way Of Addressing This’: Ex-NSA Scientist Reacts To China Sneaking Microchips Into DoD Servers


After an explosive Bloomberg report revealed that China was surreptitiously inserting small microchips into servers that later ended up being used by the Department of Defense, CIA, and many large American companies, an ex-NSA scientist warned there was “no way of addressing this risk” from a strategic standpoint.

“We can find a couple of them, but we’re not gonna find the next generation version,” said Dave Aitel, a former computer scientist for the National Security Agency now working as the Chief Security Technical Officer for Cyxtera. “That makes it very hard to trust computers in general.”

U.S. government investigators found that servers assembled by American companies contained motherboards — made by Chinese subcontractors — with tiny microchips that could allow hackers to “create a stealth doorway into any network that included the altered machines,” according to Bloomberg.

“They are literally in between the layers of the board,” Aitel said, adding that in order to see it, “you would have to take a board, strip it down, and X-ray it” to find the suspect chip.

“That’s just not a thing we should expect corporations to be able to do, even the biggest organizations.”

The machines are found inside DoD data centers, on Navy warships, and at the CIA, the site reported.

The Pentagon declined to comment on whether the suspect chips were found on DoD networks, citing operational security reasons. Still, Department spokeswoman Heather Babb told Task & Purpose, the U.S. military “has policies in place to address software assurance and supply chain risk management, as well as established security standards to ensure all procured commercial products and services are rigorously inspected for security vulnerabilities. As threats within the cyberspace domain change, DOD looks for solutions that provide more capability.”

“The protection of the National Security Innovation Base is a priority for the Department. Working closely with Congress and private industry, DOD is already advancing to elevate security within the supply chain,” she added.

China isn’t the only nation-state working to infiltrate hardware as a means to hack its enemies. The U.S. does much the same thing — intercepting network hardware and secretly installing beacons that call back to NSA — except it doesn’t seem to get or can legally force the cooperation of the factory making the product.

China doesn’t seem to have that problem.

“The question becomes can we move to a trusted supply chain or not?” Aitel asked. He added that “tin foil” hat thinking that foreign-made hardware should be treated as suspect isn’t so conspiratorial after all.

Still, he did offer some more positive news: “The good news is we caught it, and we’re on it,” Aitel said. “That’s actually phenomenally good news. That does send a message of deterrence. That does send a message that you can’t get away with it.”

President Barack Obama and Chinese President Xi Jinping agreed in 2015 that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” and said they would work together on other cybersecurity issues.

This latest disclosure of cyber-espionage adds fuel to the fire that China has clearly violated the agreement, which the Trump administration accused Beijing of doing earlier this year.

Aitel said it was more than likely that DoD and other governmental organizations were pulling the suspect servers if they haven’t done so already. Still, the risk will likely remain as long as the hardware is not manufactured in the U.S.


from: https://taskandpurpose.com/china-hacking-microchips-nsa-reaction/


China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers


Ready for information about what may be one of the largest corporate espionage programs from a nation-state? The Chinese government managed to gain access to the servers of more than 30 U.S. companies, including Apple, according to an explosive report from Bloomberg published today.

Bloomberg reports that U.S-based server motherboard specialist Supermicro was compromised in China where government-affiliated groups are alleged to have infiltrated its supply chain to attach tiny chips, some merely the size of a pencil tip, to motherboards which ended up in servers deployed in the U.S.

The goal, Bloomberg said, was to gain an entry point within company systems to potentially grab IP or confidential information. While the micro-servers themselves were limited in terms of direct capabilities, they represented a “stealth doorway” that could allow China-based operatives to remotely alter how a device functioned to potentially access information.

Once aware of the program, the U.S. government spied on the spies behind the chips but, according to Bloomberg, no consumer data is known to have been stolen through the attacks. Even still, this episode represents one of the most striking espionage programs from the Chinese government to date.

The story reports that the chips were discovered and reported to the FBI by Amazon, which found them during due diligence ahead of its 2015 acquisition of Elemental Systems, a company that held a range of U.S. government contracts, and Apple, which is said to have deployed up to 7,000 Supermicro servers at peak. Bloomberg reported that Amazon removed them all within a one-month period. Apple did indeed cut ties with Supermicro back in 2016, but it denied a claim from The Information which reported at the time that it was based on a security issue.

Amazon, meanwhile, completed the deal for Elemental Systems — reportedly worth $500 million — after it switched its software to the AWS cloud. Supermicro, meanwhile, was suspended from trading on the Nasdaq in August after failing to submit quarterly reports on time. The company is likely to be delisted once the timeframe for an appeal is over.

Amazon, Apple, Supermicro and China’s Ministry of Foreign Affairs all denied Bloomberg’s findings with strong and lengthy statements — a full list of rebuttals is here. The publication claims that it sourced its information using no fewer than 17 individuals with knowledge of developments, including six U.S. officials and four Apple “insiders.”


from: https://techcrunch.com/2018/10/04/china-reportedly-infiltrated-apple-and-other-us-companies-using-spy-chips-on-servers/



Chinesische Spionage

Apple und Amazon sollen Spionagechips in Servern gefunden haben

Dutzende US-Unternehmen und Regierungseinrichtungen haben Server eingesetzt, die vom selben Hersteller stammen: Supermicro. Doch deren Platinen waren einem Medienbericht zufolge in China manipuliert worden.




Donnerstag, 04.10.2018   14:40 Uhr


Eine Einheit der chinesischen Armee soll dafür gesorgt haben, dass winzige Spionagechips in Tausenden Servern für große Unternehmen wie Amazon und Apple verbaut wurden. Diese Chips, zum Teil so klein wie die Spitze eines Bleistifts, sollen einen heimlichen Verbindungsaufbau zu den Tätern und das unbemerkte Nachladen von Code ermöglicht haben. Das berichtet “Bloomberg Businessweek” unter Berufung auf insgesamt 17 anonyme Informanten aus Unternehmens- und US-Regierungskreisen. Dem gegenüber stehen scharfe Dementis von Amazon, Apple, dem Hersteller der Server und der chinesischen Regierung.

Gefunden wurden die Chips dem Bericht zufolge sowohl von Amazon, als auch von Apple selbst, und zwar auf den Hauptplatinen von Servern, die das in Kalifornien beheimatete Unternehmen Supermicro zusammenbaut oder von Auftragsfirmen zusammenbauen lässt. Diese Auftragshersteller, das erste Glied der Lieferkette, befänden sich im Fall von Supermicro in China. Dort sollen Militärs die Manager bestochen oder bedroht haben, bis diese einwilligten, die Bauteile in das Design der Platinen einzuschmuggeln und zu verbauen.

Zu den betroffenen US-Kunden von Supermicro gehörten “fast 30 Unternehmen”, neben Apple und Amazon auch eine große Bank und mehrere Auftragnehmer der US-Regierung.

Apple: “Wir haben niemals bösartige Chips gefunden”

Amazons Cloudsparte teilte auf Anfrage von “Bloomberg” allerdings mit, es sei unwahr, dass man von der kompromittierten Lieferkette wusste. Apple schrieb: “Wir haben niemals bösartige Chips, manipulierte Hardware oder in Servern versteckte Schwachstellen gefunden”. In ihren vollständigen Dementis führen beide Unternehmen das länger und unmissverständlich aus.

Die insgesamt 17 Quellen der Journalisten widersprechen dieser Darstellung. Sie konnten der Zeitung detailliert darlegen, wie Amazon und Apple die Chips unabhängig voneinander im Jahr 2015 fanden.

Im Fall von Amazon geschah das angeblich bei einer externen Überprüfung von Servern der Firma Elemental, die eine spezielle Software zum Komprimieren und Formatieren von Videos entwickelt hatte und zusammen mit passenden Supermicro-Servern verkaufte, unter anderem an das US-Verteidigungsministerium, die CIA und die US-Marine. Elemental galt damals als möglicher Übernahmekandidat für Amazon, das deshalb die Sicherheitsüberprüfung veranlasst hatte.

Apple beendete 2016 Geschäftsbeziehungen zu Supermicro

Später kaufte Amazon das Start-up zwar wirklich auf, doch kompromittierte Supermicro-Server sollen nur in Amazons chinesischen Cloudzentren zum Einsatz gekommen sein, bis dessen Inventar wieder an ein einheimisches Unternehmen verkauft wurde. An anderen Standorten wollte Amazon nur Elementals Software einsetzen – auf den eigenen Maschinen.

Apple indes habe nach seinem eigenen Fund innerhalb weniger Wochen rund 7000 Supermicro-Server ersetzt, heißt es. Auch das bestreitet das Unternehmen, allerdings räumt es ein, 2016 alle Geschäftsbeziehungen zu Supermicro beendet zu haben, wenn auch aus einem anderen Grund, der etwas mit einem “vergleichsweise kleinen Sicherheitsproblem” zu tun gehabt habe.

Das Ziel der Chinesen sei ein dauerhafter Zugang zu Unternehmens- und Regierungsnetzwerken sowie Geschäftsgeheimnissen gewesen, sagte eine Quelle aus Regierungskreisen “Bloomberg”. Die entsprechenden Untersuchungen dauerten bis heute an.


from: http://www.spiegel.de/netzwelt/web/apple-und-amazon-laut-medienbericht-spionagechips-in-servern-gefunden-a-1231543.html



Bloomberg’s spy chip story reveals the murky world of national security reporting

MOSCOW, RUSSIA AUGUST 9, 2018: Printed circuit boards (PCB) at MikroEM Tekhnologii, a Russian manufacturer of electronic components, in Zelenograd. Anton Novoderezhkin/TASS (Photo by Anton NovoderezhkinTASS via Getty Images)

Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary… or it’s not, and a lot of people screwed up.

To recap, Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful countries.

Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations. Apple also released its own standalone statement later in the day, as did Supermicro. You don’t see that very often unless they think they have nothing to hide. You can — and should — read the statements for yourself.

Welcome to the murky world of national security reporting.

I’ve covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories — including the U.S. government’s covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens.

Even with this story, my gut is mixed.

Where reporters across any topic and beat try to seek the truth, tapping information from the intelligence community is near impossible. For spies and diplomats, it’s illegal to share classified information with anyone and can be — and is — punishable by time in prison.

As a security reporter, you’re either incredibly well sourced or downright lucky. More often than not it’s the latter.

Naturally, people are skeptical of this “spy chip” story. On one side you have Bloomberg’s decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources — some inside the government and out — and presenting enough evidence to present a convincing case.

On the other, the sources are anonymous — likely because the information they shared wasn’t theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say “a source familiar with the matter” because it weakens the story. It’s the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves — though transparently published in full by Bloomberg — are not bulletproof in outright rejection of the story’s claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance — turning the story from an evidence-based report into a “he said, she said” situation.

That puts the onus on the reader to judge Bloomberg’s reporting. Reporters can publish the truth all they want, but ultimately it’s down to the reader to believe it or not.

In fairness to Bloomberg, chief among Apple’s complaints is a claim that Bloomberg’s reporters were vague in their questioning. Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.

Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark. Assuming there was an active espionage investigation into the alleged actions of a foreign government, you can bet that only a handful of people at these companies will be even cursorily aware of the situation. U.S. surveillance and counter-espionage laws restrict who can be told about classified information or investigations. Only those who need to be in the know are kept in a very tight loop — typically a company’s chief counsel. Often their bosses, the chief executive or president, are not told to avoid making false or misleading statements to shareholders.

It’s worth casting your mind back to 2013, days after the first Edward Snowden documents were published.

In the aftermath of the disclosure of PRISM, the NSA’s data pulling program that implicated several tech companies — including Apple, but not Amazon — the companies came out fighting, vehemently denying any involvement or connection. Was it a failure of reporting? Partially, yes. But the companies also had plausible deniability by cherry picking what they rebuffed. Despite a claim by the government that PRISM had “direct access” to tech companies’ servers, the companies responded that this wasn’t true. They didn’t, however, refute indirect access — which the companies wouldn’t be allowed to say in any case.

Critics of Bloomberg’s story have rightfully argued for more information — such as more technical data on the chip, its design and its functionality. Rightfully so — it’s entirely reasonable to want to know more. Jake Williams, a former NSA hacker turned founder of Rendition Infosec, told me that the story is “credible,” but “even if it turns out to be untrue, the capability exists and you need to architect your networks to detect this.”

I was hesitant to cover this at first given the complexity of the allegations and how explosive the claims are without also seeking confirmation. That’s not easy to do in an hour when Bloomberg’s reporters have been working for the best part of a year. Assuming Bloomberg did everything right — a cover story on its magazine, no less, which would have gone through endless editing and fact-checking before going to print — the reporters likely hit a wall and had nothing more to report, and went to print.

But Bloomberg’s delivery could have been better. Just as The New York Times does — even as recently as its coverage of President Trump’s tax affairs, Bloomberg missed an opportunity to be more open and transparent in how it came to the conclusions that it did. Journalism isn’t proprietary. It should be open to as many people as possible. If you’re not transparent in how you report things, you lose readers’ trust.

That’s where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you — and I — have to put a lot of trust and faith in Bloomberg and its reporters.

And in this day and age where “fake news” is splashed around wrongly and unfairly, for the sake of journalism, my only hope is they’re not wrong.


from: https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/


Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?


From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.

In the context of computer and Internet security, supply chain security refers to the challenge of validating that a given piece of electronics — and by extension the software that powers those computing parts — does not include any extraneous or fraudulent components beyond what was specified by the company that paid for the production of said item.

In a nutshell, the Bloomberg story claims that San Jose, Calif. based tech giant Supermicro was somehow caught up in a plan to quietly insert a rice-sized computer chip on the circuit boards that get put into a variety of servers and electronic components purchased by major vendors, allegedly including Amazon and Apple. The chips were alleged to have spied on users of the devices and sent unspecified data back to the Chinese military.

It’s critical to note up top that Amazon, Apple and Supermicro have categorically denied most of the claims in the Bloomberg piece. That is, their positions refuting core components of the story would appear to leave little wiggle room for future backtracking on those statements. Amazon also penned a blog post that more emphatically stated their objections to the Bloomberg piece.

Nevertheless, Bloomberg reporters write that “the companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.”

The story continues:

Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

Many readers have asked for my take on this piece. I heard similar allegations earlier this year about Supermicro and tried mightily to verify them but could not. That in itself should be zero gauge of the story’s potential merit. After all, I am just one guy, whereas this is the type of scoop that usually takes entire portions of a newsroom to research, report and vet. By Bloomberg’s own account, the story took more than a year to report and write, and cites 17 anonymous sources as confirming the activity.

Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

That example gives a whole new meaning to the term “supply chain,” doesn’t it? If Bloomberg’s reporting is accurate, that’s more or less what we’re dealing with here in Supermicro as well.

But here’s the thing: Even if you identify which technology vendors are guilty of supply-chain hacks, it can be difficult to enforce their banishment from the procurement chain. One reason is that it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today.

Take, for instance, the problem right now with insecure Internet of Things (IoT) devices — cheapo security cameras, Internet routers and digital video recorders — sold at places like Amazon and Walmart. Many of these IoT devices have become a major security problem because they are massively insecure by default and difficult if not also impractical to secure after they are sold and put into use.

For every company in China that produces these IoT devices, there are dozens of “white label” firms that market and/or sell the core electronic components as their own. So while security researchers might identify a set of security holes in IoT products made by one company whose products are white labeled by others, actually informing consumers about which third-party products include those vulnerabilities can be extremely challenging. In some cases, a technology vendor responsible for some part of this mess may simply go out of business or close its doors and re-emerge under different names and managers.

Mind you, there is no indication anyone is purposefully engineering so many of these IoT products to be insecure; a more likely explanation is that building in more security tends to make devices considerably more expensive and slower to market. In many cases, their insecurity stems from a combination of factors: They ship with every imaginable feature turned on by default; they bundle outdated software and firmware components; and their default settings are difficult or impossible for users to change.

We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered. But the U.S. Congress has held multiple hearings about supply chain security challenges, and the U.S. government has taken steps on several occasions to block Chinese tech companies from doing business with the federal government and/or U.S.-based firms.

Most recently, the Pentagon banned the sale of Chinese-made ZTE and Huawei phones on military bases, according to a Defense Department directive that cites security risks posed by the devices. The U.S. Department of Commerce also has instituted a seven-year export restriction for ZTE, resulting in a ban on U.S. component makers selling to ZTE.

Still, the issue here isn’t that we can’t trust technology products made in China. Indeed there are numerous examples of other countries — including the United States and its allies — slipping their own “backdoors” into hardware and software products.

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right nowThe reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States.

Even if the U.S. government and Silicon Valley somehow mustered the funding and political will to do that, insisting that products sold to U.S. consumers or the U.S. government be made only with components made here in the U.S.A. would massively drive up the cost of all forms of technology. Consumers would almost certainly balk at buying these way more expensive devices. Years of experience has shown that consumers aren’t interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply.

Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

“Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product,” Schneier wrote in an opinion piece published earlier this year in The Washington Post. “No one wants to even think about a US-only anything; prices would multiply many times over. We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.

The Bloomberg piece also addresses this elephant in the room:

“The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

Another huge challenge of securing the technology supply chain is that it’s quite time consuming and expensive to detect when products may have been intentionally compromised during some part of the manufacturing process. Your typical motherboard of the kind produced by a company like Supermicro can include hundreds of chips, but it only takes one hinky chip to subvert the security of the entire product.

Also, most of the U.S. government’s efforts to police the global technology supply chain seem to be focused on preventing counterfeits — not finding secretly added spying components.

Finally, it’s not clear that private industry is up to the job, either. At least not yet.

“In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge,” the Bloomberg story concludes. “Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. ‘This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,’ one of the people present in McLean says. ‘You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.’”

For my part, I try not to spin my wheels worrying about things I can’t change, and the supply chain challenges definitely fit into that category. I’ll have some more thoughts on the supply chain problem and what we can do about it in an interview to be published next week.

But for the time being, there are some things worth thinking about that can help mitigate the threat from stealthy supply chain hacks. Writing for this week’s newsletter put out by the SANS Institute, a security training company based in Bethesda, Md., editorial board member William Hugh Murray has a few provocative thoughts:

  1. Abandon the password for all but trivial applications. Steve Jobs and the ubiquitous mobile computer have lowered the cost and improved the convenience of strong authentication enough to overcome all arguments against it.
  2. Abandon the flat network. Secure and trusted communication now trump ease of any-to-any communication.
  3. Move traffic monitoring from encouraged to essential.
  4. Establish and maintain end-to-end encryption for all applications. Think TLS, VPNs, VLANs and physically segmented networks. Software Defined Networks put this within the budget of most enterprises.
  5. Abandon the convenient but dangerously permissive default access control rule of “read/write/execute” in favor of restrictive “read/execute-only” or even better, “Least privilege.” Least privilege is expensive to administer but it is effective. Our current strategy of “ship low-quality early/patch late” is proving to be ineffective and more expensive in maintenance and breaches than we could ever have imagined.


from: https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/



04 OCT 2018

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?


Analysis Chinese government agents sneaked spy chips into Super Micro servers used by Amazon, Apple, the US government, and about 30 other organizations, giving Beijing’s snoops access to highly sensitive data, according to a bombshell Bloomberg report today.

The story, which has been a year in the making and covers events it says happened three years ago, had a huge impact on the markets: the company at the center of the story, San Jose-based Super Micro, saw its share price drop by nearly 50 per cent; likewise Apple’s share price dropped by just under two per cent, and Amazon’s dropped by more than two per cent.

But the article has been strongly denied by the three main companies involved: Apple, Amazon, and Super Micro. Each has issued strong and seemingly unambiguous statements denying the existence and discovery of such chips or any investigation by the US intelligence services into the surveillance implants.

These statements will have gone through layers of lawyers to make sure they do not open these publicly traded corporations to lawsuits and securities fraud claims down the line. Similarly, Bloomberg employs veteran reporters and layers of editors, who check and refine stories, and has a zero tolerance for inaccuracies.

So which is true: did the Chinese government succeed in infiltrating the hardware supply chain and install spy chips in highly sensitive US systems; or did Bloomberg’s journalists go too far in their assertions? We’ll dig in.

The report

First up, the key details of the exclusive. According to the report, tiny microchips that were made to look like signal conditioning couplers were added to Super Micro data center server motherboards manufactured by sub-contractors based in China.

Those spy chips were not on the original board designs, and were secretly added after factory bosses were pressured or bribed into altering the blueprints, it is claimed. The surveillance chips, we’re told, contained enough memory and processing power to effectively backdoor the host systems so that outside agents could, say, meddle with the servers and exfiltrate information.

The Bloomberg article is not particularly technical, so a lot of us are having to guesstimate how the hack worked. From what we can tell, the spy chip was designed to look like an innocuous component on the motherboard with a few connector pins – just enough for power and a serial interface, perhaps. One version was sandwiched between the fiberglass layers of the PCB, it is claimed.

The spy chip could have been placed electrically between the baseboard management controller (BMC) and its SPI flash or serial EEPROM storage containing the BMC’s firmware. Thus, when the BMC fetched and executed its code from this memory, the spy chip would intercept the signals and modify the bitstream to inject malicious code into the BMC processor, allowing its masters to control the BMC.

The BMC is a crucial component on a server motherboard. It allows administrators to remotely monitor and repair machines, typically over a network, without having to find the box in a data center, physically pull it out of the rack, fix it, and re-rack it. The BMC and its firmware can be told to power-cycle the server, reinstall or modify the host operating system, mount additional storage containing malicious code and data, access a virtual keyboard and terminal connected to the computer, and so on. If you can reach the BMC and its software, you have total control over the box.

With the BMC compromised, it is possible the alleged spies modified the controller’s firmware and/or the host operating system and software to allow attackers to connect in or allow data to flow out. We’ve been covering BMC security issues for a while.

Here is Bloomberg’s layman explanation for how that snoop-chip worked: the component “manipulated the core operating instructions that tell the server what to do as data move across a motherboard… this happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow.”

There are a few things to bear in mind: one is that it should be possible to detect weird network traffic coming from the compromised machine, and another is that modifying BMC firmware on the fly to compromise the host system is non-trivial but also not impossible. Various methods are described, here.

“It is technically plausible,” said infosec expert and US military veteran Jake Williams in a hastily organized web conference on Thursday morning. “If I wanted to do this, this is how I’d do it.”

The BMC would be a “great place to put it,” said Williams, because the controller has access to the server’s main memory, allowing it to inject backdoor code into the host operating system kernel. From there, it could pull down second-stage spyware and execute it, assuming this doesn’t set off any firewall rules.

A third thing to consider is this: if true, a lot of effort went into this surveillance operation. It’s not the sort of thing that would be added to any Super Micro server shipping to any old company – it would be highly targeted to minimize its discovery. If you’ve bought Super Micro kit, it’s very unlikely it has a spy chip in it, we reckon, if the report is correct. Other than Apple and Amazon, the other 30 or so organizations that used allegedly compromised Super Micro boxes included a major bank and government contractors.

A fourth thing is this: why go to the bother of smuggling another chip on the board, when a chip already due to be placed in the circuitry could be tampered with during manufacture, using bribes and pressure? Why not switch the SPI flash chip with a backdoored one – one that looks identical to a legit one? Perhaps the disguised signal coupler was the best way to go.

And a fifth thing: the chip allegedly fits on a pencil tip. That it can intercept and rewrite data on the fly from SPI flash or a serial EEPROM is not impossible. However, it has to contain enough data to replace the fetched BMC firmware code, that then alters the running operating system or otherwise implements a viable backdoor. Either the chip pictured in Bloomberg’s article is incorrect and just an illustration, and the actual device is larger, or there is state-of-the-art custom semiconductor fabrication involved here.


One final point: you would expect corporations like Apple and Amazon to have in place systems that detect not only unexpected network traffic, but also unexpected operating system states. It should be possible that alterations to the kernel and the stack of software above it should set off alarms during or after boot.

Bloomberg claims the chip was first noticed in 2015 in a third-party security audit of Super Micro servers that was carried out when Amazon was doing due diligence into a company called Elemental Technologies that it was thinking of acquiring. Elemental used Super Micro’s servers to do super-fast video processing.

Big problem

Amazon reported what it found to the authorities and, according to Bloomberg, that “sent a shudder” through the intelligence community because similar motherboards were in use “in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.”

Around the same time, Apple also found the tiny chips, according to the report, “after detecting odd network activity and firmware problems.” Apple contacted the FBI and gave the agency access to the actual hardware. US intelligence agencies then tracked the hardware components backwards through the supply chain, and used their various spying programs to sift through intercepted communications, eventually ending up with a focus on four sub-contracting factories in China.

According to Bloomberg, the US intelligence agencies were then able to uncover how the seeding process worked: “Plant managers were approached by people who claimed to represent Super Micro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.”

This explanation seemingly passes the sniff test: it fits what we know of US intelligence agencies investigative approaches, their spy programs, and how the Chinese government works when interacting with private businesses.

The report then provides various forms of circumstantial evidence that adds weight to the idea that this all happened by pointing to subsequent actions of both Apple and Amazon. Apple ditched Super Micro entirely as a supplier, over the course of just a few weeks, despite planning to put in a massive order for thousands of motherboards. And Amazon sold off its Beijing data center to its local partner, Beijing Sinnet, for $300m.


from: https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/



07 SEP 2018

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

A Reg vulture reacting to the vulnerability


Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers.

Security biz Eclypsium today said a weakness in the mechanism for updating a BMC’s firmware could be abused by an attacker to install and run malicious code that would be extremely difficult to remove.

A BMC is typically installed directly onto the motherboard of a server where it is able to directly control and manage the various hardware components of the server independent of the host and guest operating systems. It can also repair, alter, or reinstall the system software, and is remotely controlled over a network or dedicated channel by an administrator. It allows IT staff to manage, configure, and power cycle boxes from afar, which is handy for people looking after warehouses of machines.

Because BMCs operate at such a low level, they are also valuable targets for hackers.

In this case, Eclypsium says the firmware update code in Supermicro’s BMCs don’t bother to cryptographically verify whether or not the downloaded upgrade was issued by the manufacturer, leaving them vulnerable to tampering. The bug could be exploited to execute code that would then be able to withstand OS-level antivirus tools and reinstalls.

To do this, an attacker already on the data center network, or otherwise able to access the controllers, would need to intercept the firmware download, meddle with it, and pass it on to the hardware that will then blindly install it. Alternatively, a miscreant able to eavesdrop on and fiddle with internet traffic feeding into an organization could tamper with the IT team’s BMC firmware downloads, which again would be accepted by the controller.

“We found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage,” says Eclypsium.

“This effectively allows the attacker to load modified code onto the BMC.”

In addition to running malware code beneath the OS level, the researchers said the flaw could also be used to permanently brick the BMC or even the entire server. Even worse, a potential attack wouldn’t even necessarily require physical access to the server itself.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium warned.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

Fortunately, Eclypsium says it has already reported the bug to Supermicro, who responded by adding signature verification to the firmware update tool, effectively plugging this vulnerability. Admins are being advised to get in touch with their Supermicro security contacts to get the fix in place.


from: https://www.theregister.co.uk/2018/09/07/supermicro_bmcs_hole/



18 OCT 2018

Supply Chain Security 101: An Expert’s View


Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.


Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.


Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

Brian Krebs (BK): Do you think Uncle Sam spends enough time focusing on the supply chain security problem? It seems like a pretty big threat, but also one that is really hard to counter.

Tony Sager (TS): The federal government has been worrying about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology industry and didn’t have this massive internationalization of the technology supply chain.

But even then there were people who saw where this was all going, and there were some pretty big government programs to look into it.

BK: Right, the Trusted Foundry program I guess is a good example.

TS: Exactly. That was an attempt to help support a U.S.-based technology industry so that we had an indigenous place to work with, and where we have only cleared people and total control over the processes and parts.

BK: Why do you think more companies aren’t insisting on producing stuff through code and hardware foundries here in the U.S.?

TS: Like a lot of things in security, the economics always win. And eventually the cost differential for offshoring parts and labor overwhelmed attempts at managing that challenge.

BK: But certainly there are some areas of computer hardware and network design where you absolutely must have far greater integrity assurance?

TS: Right, and this is how they approach things at Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they’ve looked at is this whole business of whether someone might sneak something into the design of a nuclear weapon.

The basic design principle has been to assume that one person in the process may have been subverted somehow, and the whole design philosophy is built around making sure that no one person gets to sign off on what goes into a particular process, and that there is never unobserved control over any one aspect of the system. So, there are a lot of technical and procedural controls there.

But the bottom line is that doing this is really much harder [for non-nuclear electronic components] because of all the offshoring now of electronic parts, as well as the software that runs on top of that hardware.

BK: So is the government basically only interested in supply chain security so long as it affects stuff they want to buy and use?

TS: The government still has regular meetings on supply chain risk management, but there are no easy answers to this problem. The technical ability to detect something wrong has been outpaced by the ability to do something about it.

BK: Wait…what?

TS: Suppose a nation state dominates a piece of technology and in theory could plant something inside of it. The attacker in this case has a risk model, too. Yes, he could put something in the circuitry or design, but his risk of exposure also goes up.

Could I as an attacker control components that go into certain designs or products? Sure, but it’s often not very clear what the target is for that product, or how you will guarantee it gets used by your target. And there are still a limited set of bad guys who can pull that stuff off. In the past, it’s been much more lucrative for the attacker to attack the supply chain on the distribution side, to go after targeted machines in targeted markets to lessen the exposure of this activity.

BK: So targeting your attack becomes problematic if you’re not really limiting the scope of targets that get hit with compromised hardware.

TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting.

BK: Can you talk about some of the things the government has typically done to figure out whether a given technology supplier might be trying to slip in a few compromised devices among an order of many?

TS: There’s this concept of the “blind buy,” where if you think the threat vector is someone gets into my supply chain and subverts the security of individual machines or groups of machines, the government figures out a way to purchase specific systems so that no one can target them. In other words, the seller doesn’t know it’s the government who’s buying it. This is a pretty standard technique to get past this, but it’s an ongoing cat and mouse game to be sure.

BK: I know you said before this interview that you weren’t prepared to comment on the specific claims in the recent Bloomberg article, but it does seem that supply chain attacks targeting cloud providers could be very attractive for an attacker. Can you talk about how the big cloud providers could mitigate the threat of incorporating factory-compromised hardware into their operations?

TS: It’s certainly a natural place to attack, but it’s also a complicated place to attack — particularly the very nature of the cloud, which is many tenants on one machine. If you’re attacking a target with on-premise technology, that’s pretty simple. But the purpose of the cloud is to abstract machines and make more efficient use of the same resources, so that there could be many users on a given machine. So how do you target that in a supply chain attack?

BK: Is there anything about the way these cloud-based companies operate….maybe just sheer scale…that makes them perhaps uniquely more resilient to supply chain attacks vis-a-vis companies in other industries?

TS: That’s a great question. The counter positive trend is that in order to get the kind of speed and scale that the Googles and Amazons and Microsofts of the world want and need, these companies are far less inclined now to just take off-the-shelf hardware and they’re actually now more inclined to build their own.

BK: Can you give some examples?

TS: There’s a fair amount of discussion among these cloud providers about commonalities — what parts of design could they cooperate on so there’s a marketplace for all of them to draw upon. And so we’re starting to see a real shift from off-the-shelf components to things that the service provider is either designing or pretty closely involved in the design, and so they can also build in security controls for that hardware. Now, if you’re counting on people to exactly implement designs, you have a different problem. But these are really complex technologies, so it’s non-trivial to insert backdoors. It gets harder and harder to hide those kinds of things.

BK: That’s interesting, given how much each of us have tied up in various cloud platforms. Are there other examples of how the cloud providers can make it harder for attackers who might seek to subvert their services through supply chain shenanigans?

TS: One factor is they’re rolling this technology out fairly regularly, and on top of that the shelf life of technology for these cloud providers is now a very small number of years. They all want faster, more efficient, powerful hardware, and a dynamic environment is much harder to attack. This actually turns out to be a very expensive problem for the attacker because it might have taken them a year to get that foothold, but in a lot of cases the short shelf life of this technology [with the cloud providers] is really raising the costs for the attackers.

When I looked at what Amazon and Google and Microsoft are pushing for it’s really a lot of horsepower going into the architecture and designs that support that service model, including the building in of more and more security right up front. Yes, they’re still making lots of use of non-U.S. made parts, but they’re really aware of that when they do. That doesn’t mean these kinds of supply chain attacks are impossible to pull off, but by the same token they don’t get easier with time.

BK: It seems to me that the majority of the government’s efforts to help secure the tech supply chain come in the form of looking for counterfeit products that might somehow wind up in tanks and ships and planes and cause problems there — as opposed to using that microscope to look at commercial technology. Do you think that’s accurate?

TS: I think that’s a fair characterization. It’s a logistical issue. This problem of counterfeits is a related problem. Transparency is one general design philosophy. Another is accountability and traceability back to a source. There’s this buzzphrase that if you can’t build in security then build in accountability. Basically the notion there was you often can’t build in the best or perfect security, but if you can build in accountability and traceability, that’s a pretty powerful deterrent as well as a necessary aid.

BK: For example….?

TS: Well, there’s this emphasis on high quality and unchangeable logging. If you can build strong accountability that if something goes wrong I can trace it back to who caused that, I can trace it back far enough to make the problem more technically difficult for the attacker. Once I know I can trace back the construction of a computer board to a certain place, you’ve built a different kind of security challenge for the attacker. So the notion there is while you may not be able to prevent every attack, this causes the attacker different kinds of difficulties, which is good news for the defense.

BK: So is supply chain security more of a physical security or cybersecurity problem?

TS: We like to think of this as we’re fighting in cyber all the time, but often that’s not true. If you can force attackers to subvert your supply chain, they you first off take away the mid-level criminal elements and you force the attackers to do things that are outside the cyber domain, such as set up front companies, bribe humans, etc. And in those domains — particularly the human dimension — we have other mechanisms that are detectors of activity there.

BK: What role does network monitoring play here? I’m hearing a lot right now from tech experts who say organizations should be able to detect supply chain compromises because at some point they should be able to see truckloads of data leaving their networks if they’re doing network monitoring right. What do you think about the role of effective network monitoring in fighting potential supply chain attacks.

TS:  I’m not so optimistic about that. It’s too easy to hide. Monitoring is about finding anomalies, either in the volume or type of traffic you’d expect to see. It’s a hard problem category. For the US government, with perimeter monitoring there’s always a trade off in the ability to monitor traffic and the natural movement of the entire Internet towards encryption by default. So a lot of things we don’t get to touch because of tunneling and encryption, and the Department of Defense in particular has really struggled with this.

Now obviously what you can do is man-in-the-middle traffic with proxies and inspect everything there, and the perimeter of the network is ideally where you’d like to do that, but the speed and volume of the traffic is often just too great.

BK: Isn’t the government already doing this with the “trusted internet connections” or Einstein program, where they consolidate all this traffic at the gateways and try to inspect what’s going in and out?

TS: Yes, so they’re creating a highest volume, highest speed problem. To monitor that and to not interrupt traffic you have to have bleeding edge technology to do that, and then handle a ton of it which is already encrypted. If you’re going to try to proxy that, break it out, do the inspection and then re-encrypt the data, a lot of times that’s hard to keep up with technically and speed-wise.

BK: Does that mean it’s a waste of time to do this monitoring at the perimeter?

TS: No. The initial foothold by the attacker could have easily been via a legitimate tunnel and someone took over an account inside the enterprise. The real meaning of a particular stream of packets coming through the perimeter you may not know until that thing gets through and executes. So you can’t solve every problem at the perimeter. Some things only because obvious and make sense to catch them when they open up at the desktop.

BK: Do you see any parallels between the challenges of securing the supply chain and the challenges of getting companies to secure Internet of Things (IoT) devices so that they don’t continue to become a national security threat for just about any critical infrastructure, such as with DDoS attacks like we’ve seen over the past few years?

TS: Absolutely, and again the economics of security are so compelling. With IoT we have the cheapest possible parts, devices with a relatively short life span and it’s interesting to hear people talking about regulation around IoT. But a lot of the discussion I’ve heard recently does not revolve around top-down solutions but more like how do we learn from places like the Food and Drug Administration about certification of medical devices. In other words, are there known characteristics that we would like to see these devices put through before they become in some generic sense safe.

BK: How much of addressing the IoT and supply chain problems is about being able to look at the code that powers the hardware and finding the vulnerabilities there? Where does accountability come in?

TS: I used to look at other peoples’ software for a living and find zero-day bugs. What I realized was that our ability to find things as human beings with limited technology was never going to solve the problem. The deterrent effect that people believed someone was inspecting their software usually got more positive results than the actual looking. If they were going to make a mistake – deliberately or otherwise — they would have to work hard at it and if there was some method of transparency, us finding the one or two and making a big deal of it when we did was often enough of a deterrent.

BK: Sounds like an approach that would work well to help us feel better about the security and code inside of these election machines that have become the subject of so much intense scrutiny of late.

TS: We’re definitely going through this now in thinking about the election devices. We’re kind of going through this classic argument where hackers are carrying the noble flag of truth and vendors are hunkering down on liability. So some of the vendors seem willing to do something different, but at the same time they’re kind of trapped now by the good intentions of open vulnerability community.

The question is, how do we bring some level of transparency to the process, but probably short of vendors exposing their trade secrets and the code to the world? What is it that they can demonstrate in terms of cost effectiveness of development practices to scrub out some of the problems before they get out there. This is important, because elections need one outcome: Public confidence in the outcome. And of course, one way to do that is through greater transparency.

BK: What, if anything, are the takeaways for the average user here? With the proliferation of IoT devices in consumer homes, is there any hope that we’ll see more tools that help people gain more control over how these systems are behaving on the local network?

TS: Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond ability of small businesses to grapple with this. It’s in fact outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.

It’s now almost impossible to for consumers to buy electronics stuff that isn’t Internet-connected. The chipsets are so cheap and the ability for every device to have its own Wi-Fi chip built in means that [manufacturers] are adding them whether it makes sense to or not. I think we’ll see more security coming into the marketplace to manage devices. So for example you might define rules that say appliances can talk to the manufacturer only. 

We’re going to see more easy-to-use tools available to consumers to help manage all these devices. We’re starting to see the fight for dominance in this space already at the home gateway and network management level. As these devices get more numerous and complicated, there will be more consumer oriented ways to manage them. Some of the broadband providers already offer services that will tell what devices are operating in your home and let users control when those various devices are allowed to talk to the Internet.


Since Bloomberg’s story broke, The U.S. Department of Homeland Security and the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ, both came out with statements saying they had no reason to doubt vehement denials by Amazon and Apple that they were affected by any incidents involving Supermicro’s supply chain security. Apple also penned a strongly-worded letter to lawmakers denying claims in the story.

Meanwhile, Bloomberg reporters published a follow-up story citing new, on-the-record evidence to back up claims made in their original story.


from: https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/



09 OCT 2018 – Bloomberg Follow-Up

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

The discovery shows that China continues to sabotage critical technology components bound for America:
implant built into the server’s Ethernet connector.


A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.


Yossi Appleboum

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.

Supermicro, based in San Jose, California, gave this statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”

Bloomberg News first contacted Supermicro for comment on this story on Monday at 9:23 a.m. Eastern time and gave the company 24 hours to respond.

Supermicro said after the earlier story that it “strongly refutes” reports that servers it sold to customers contained malicious microchips. China’s embassy in Washington did not return a request for comment Monday. In response to the earlier Bloomberg Businessweek investigation, China’s Ministry of Foreign Affairs didn’t directly address questions about the manipulation of Supermicro servers but said supply chain security is “an issue of common concern, and China is also a victim.”

Supermicro shares plunged 41 percent last Thursday, the most since it became a public company in 2007, following the Bloomberg Businessweek revelations about the hacked servers. They fell as much as 27 percent on Tuesday after the latest story.

The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

Based on his inspection of the device, Appleboum determined that the telecom company’s server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the `Silicon Valley of Hardware,’ and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.

The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company’s technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. It’s not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.

AT&T Inc. spokesman Fletcher Cook said, “These devices are not part of our network, and we are not affected.” A Verizon Communications Inc. spokesman said “we’re not affected.”

“Sprint does not have Supermicro equipment deployed in our network,” said Lisa Belot, a Sprint spokeswoman. T-Mobile U.S. Inc. didn’t respond to requests for comment.

Sepio Systems’ board includes Chairman Tamir Pardo, former director of the Israeli Mossad, the national defense agency of Israel, and its advisory board includes Robert Bigman, former chief information security officer of the U.S. Central Intelligence Agency.

U.S. communications networks are an important target of foreign intelligence agencies, because data from millions of mobile phones, computers, and other devices pass through their systems. Hardware implants are key tools used to create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time. 

In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been “aware of an issue” connected to Supermicro products since June.  Trond Ovstedal, a spokesman for the agency, later added to that statement, saying the agency was alerted to the concerns by someone who had heard of them via Bloomberg’s news gathering efforts. In its initial statement, the authority couldn’t confirm the details of Bloomberg’s reporting, but said that it has recently been in dialogue with partners over the issue.

Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.  

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”


from: https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom





Israel Securities Authority Turns to Blockchain for Improving Cybersecurity

Israel’s national securities regulator is now using blockchain to improve data integrity
for its messaging system, online voting, and critical reports storage.


The Israel Securities Authority (ISA) has started to use blockchain to improve the cybersecurity of its messaging system, online newspaper Times of Israel reports today, October 3.

The government regulator has reportedly embedded the technology into a system dubbed “Yael,” used to deliver messages and other information to entities that fall under ISA oversight.

The ISA has further plans to implement blockchain in two other systems, including an online voting system that enables investors to participate in ISA meetings remotely, and a system called ‘Magna” that stores all the reports filed by ISA-regulated entities. The blockchain solution used by ISA was reportedly developed by IT firm Taldor, according to the Times of Israel.

As the publication outlines, the technology can provide robust solutions to countering fraud, as it can be used to verify the authenticity of communications, as well as safeguard against post-facto editing or inappropriate deletions.

The regulator is quoted by the Times of Israel as saying that the transition to blockchain “adds another layer to ensuring the credibility of the information relayed to the supervised bodies.” Moreover, a blockchain system can prove or disprove that a message has been sent by the ISA.

Natan Hershkovitz, director of the ISA’s Information Systems Department, said that the move to integrate blockchain aligns with “a growing trend around the world, and in the financial field in particular, to embed innovative and revolutionary technologies.”

As reported last month, Switzerland and Israel have recently agreed to share their experience on regulating the blockchain industry, with the Swiss State Secretary for International Financial Matters Joerg Gasser saying that he plans to prepare a report outlining general recommendations for review by the Israeli government.

Israel’s Ministry of Finance, for its part, has said that both countries have agreed to share notes on fintech regulation, including guidelines on cryptocurrencies and combating money laundering (AML).


from: https://cointelegraph.com/news/israel-securities-authority-turns-to-blockchain-for-improving-cybersecurity




JPMorgan’s Focus on Blockchain Is Part of Digital Transformation Roadmap, New Study Reveals

JP Morgan earmarked $10.8 billion for technology spending in 2018. A study into its digital transformation initiatives has revealed that blockchain is a central focus in the bank’s innovation roadmap.

A study into JPMorgan’s digital transformation initiatives has revealed that blockchain is a key technology for the bank’s roadmap, according to a press release published by ResearchAndMarkets.com (RM) October 3.

RM has analyzed JPMorgan’s enterprise-wide strategies to secure its “competitive edge” against rival banks, non-financial firms, and fintech startups. The bank has reportedly earmarked $10.8 billion for technology spending in 2018, $5 billion of which will go towards fintech investments.

The study covers JPMorgan’s digital transformation roadmap, with blockchain listed as the first in a range of bleeding-edge technologies that are being pursued by the bank — including big data, cloud, artificial intelligence (AI), and robotics.

It outlines a range of approaches that JPMorgan has undertaken, including establishing accelerators and incubators, investing, acquiring or forming partnerships with fintech startups, and moving away from legacy systems towards newer, disruptive solutions.

As RM underscores, all these strategies are part of a bid to become a leading digital bank. The study also outlines recommendations for other market participants to similarly “embrace” wide-ranging fintech innovation.

Just last week, Cointelegraph reported that JPMorgan had expanded its blockchain payment platform to over 75 multinational banks as part of participants’ combined efforts to fight off competition from outside of the banking sector. The bank first began testing the platform in April with partners that included Goldman Sachs, Pfizer Inc., and the National Bank of Canada.

This August, JPMorgan’s’s CIO Lori Beer forecast that blockchain would “replace existing technology” within a matter of “a few years.” The bank remains, however, notably risk-averse when it comes to cryptocurrencies, with CEO Jamie Dimon making notorious anti-Bitcoin (BTC) remarks on several occasions. Nonetheless, other senior figures within the company have hinted at a potential more receptive stance towards the crypto space.


from: https://cointelegraph.com/news/jpmorgans-focus-on-blockchain-is-part-of-digital-transformation-roadmap-new-study-reveals




Telegram Leaks User IP Addresses

Huge impact in the Blockchain space, where Telegram is so popular: recon made easy.
Having the IP allows for much easier wallet- and crypto-jacking hacks / attacks
(also sad: with a $2 billion ICO, this is the best quality they can offer?).


A vulnerability in Telegram Desktop results in the end-user public and private IP addresses being leaked during a call, a security researcher has discovered.

A cloud-based instant messaging and voice-over-IP service, Telegram was designed to provide users with secure communication capabilities, as messages are heavily encrypted and can self-destruct.

Tracked as CVE-2018-17780, the newly discovered issue affects Telegram Desktop (aka tdesktop) 1.3.14, and Telegram WP8.1 on Windows, and is the result of a default, unsafe behavior where peer-to-peer (P2P) connections are accepted from clients outside of the My Contacts list.

Security researcher Dhiraj Mishra discovered that a default setting where Telegram clients used P2P connections while initiating a call could result in the user’s IP address being leaked.

Additional connection options are available in Settings > Privacy and security > Calls > peer-to-peer, but there was no option for setting “P2P > nobody” in tdesktop and Telegram for Windows, thus causing a privacy issue, the researcher says.

According to Mishra, a user’s IP address could leak on Telegram for Android as well, provided that the option hasn’t been set to “Settings > Privacy and security > Calls > peer-to-peer > nobody.” However, the Android client does provide the option.

To trigger the vulnerability in tdesktop, one would simply need to launch the application and initiate a call to another user, as the client would leak the IP address during call initialization.

The bug manifests itself even for incoming calls, with the recipient being able to view the public/private IP address of the caller in logs. The IP leaks even if the call is made from a Windows Phone.

“Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT,” the researcher notes.

[Open-Source INTelligence = OSINT: is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources). It is not related to open-source software or public intelligence. — see also: https://en.wikipedia.org/wiki/Open-source_intelligence — TJACK]

Telegram Desktop 1.3.17 beta and v1.4.0 are no longer impacted. The vulnerability has been addressed with the addition of an option for setting P2P to Nobody/My contacts. Mishra received a €2000 ($2300) bug bounty reward for the discovery.


from: https://www.securityweek.com/telegram-leaks-user-ip-addresses




NYC Wants to Build a CyberArmy – With 10,000 Cybersecurity Professionals and 3+8-Floor Global Cyber Centers in Chelsea

Through five new startup programs, Cyber NYC is the city’s bold plan to dominate cybersecurity this century

Empires rise and fall, and none more so than business empires. Whole industries that once dominated the planet are just a figment in memory’s eye, while new industries quietly grow into massive behemoths.

New York City has certainly seen its share of empires. Today, the city is a global center of finance, real estate, legal services, technology, and many, many more industries. It hosts the headquarters of roughly 10% of the Fortune 500, and the metro’s GDP is roughly equivalent to that of Canada.

So much wealth and power, and all under constant attack. The value of technology and data has skyrocketed, and so has the value of stealing and disrupting the services that rely upon it. Cyber crime and cyber wars are adding up: according to a report published jointly between McAfee and the Center for Strategic and International Studies, the costs of these operations are in the hundreds of billions of dollars – and New York’s top industries such as financial services bear the brunt of the losses.

Yet, New York City has hardly been a bastion for the cybersecurity industry. Boston and Washington DC are far stronger today on the Acela corridor, and San Francisco and Israel have both made huge impacts on the space. Now, NYC’s leaders are looking to build a whole new local empire that might just act as a bulwark for its other leading ecosystems.

Today, the New York City Economic Development Corporation (NYCEDC) announced the launch of Cyber NYC, a $30 million “catalyzing” investment designed to rapidly grow the city’s ecosystem and infrastructure for cybersecurity.


James Patchett, CEO of New York City Economic Development Corporation. (Photo from NYCEDC)


James Patchett, CEO of NYCEDC, explained in an interview with TechCrunch that cybersecurity is “both an incredible opportunity and also a huge threat.” He noted that “the financial industry has been the lifeblood of this city for our entire history,” and the costs of cybercrime are rising quickly. “It’s a lose-lose if we fail to invest in the innovation that keeps the city strong” but “it’s a win if we can create all of that innovation here and the corresponding jobs,” he said.

The Cyber NYC program is made up of a constellation of programs:

  • Partnering with Jerusalem Venture Partners, an accelerator called Hub.NYC will develop enterprise cybersecurity companies by connecting them with advisors and customers. The program will be hosted in a nearly 100,000 square foot building in SoHo.
  • Partnering with SOSA, the city will create a new, 15,000 square foot Global Cyber Center co-working facility in Chelsea, where talented individuals in the cyber industry can hang out and learn from each other through event programming and meetups.
  • With Fullstack Academy and Laguardia Community College, a Cyber Boot Camp will be created to enhance the ability of local workers to find jobs in the cybersecurity space.
  • Through an “Applied Learning Initiative,” students will be able to earn a “CUNY-Facebook Master’s Degree” in cybersecurity. The program has participation from the City University of New York, New York University, Columbia University, Cornell Tech, and iQ4.
  • With Columbia University’s Technology Ventures, NYCEDC will introduce a program called Inventors to Founders that will work to commercialize university research.


NYCEDC’s map of the Cyber NYC initiative. (Photo from NYCEDC)


In addition to Facebook, other companies have made commitments to the program, including Goldman Sachs, MasterCard, PricewaterhouseCoopers, and edX.org. Two Goldman execs, Chief Operational Risk Officer Phil Venables and Chief Information Security Officer Andy Ozment, have joined the initiative’s advisory boards.

The NYCEDC estimates that there are roughly 6,000 cybersecurity professionals currently employed in New York City. Through these programs, it estimates that the number could increase by another 10,000. Patchett said that “it is as close to a no-brainer in economic development because of the opportunity and the risk.”

From Jerusalem to New York

To tackle its ambitious cybersecurity goals, the NYCEDC is partnering with two venture firms, Jerusalem Venture Partners (JVP) and SOSA, with significant experience investing, operating, and growing companies in the sector.

Jerusalem-based JVP is an established investor that should help founders at Hub.NYC get access to smart capital, sector expertise, and the entrepreneurial experience needed to help their startups scale. JVP invests in early-, late-, and growth-stage companies focused on cybersecurity, big data, media, and enterprise software.


JVP will run Hub.NYC, a startup accelerator that will help cybersecurity startups connect with customers and mentors. (Photo from JVP)


Erel Margalit, who founded the firm in 1993, said that “If you look at what JVP has done … we create ecosystems.” Working with Jerusalem’s metro government, Margalit and the firm pioneered a number of institutions such as accelerators that turned Israel into an economic powerhouse in the cybersecurity industry. His social and economic work eventually led him to the Knesset, Israel’s unicameral legislature, where he served as an MP from 2015-2017 with the Labor Party.

Israel is a very small country with a relative dearth of large companies though, a huge challenge for startups looking to scale up. “Today if you want to build the next-generation leading companies, you have to be not only where the ideas are being brewed, but also where the solutions are being [purchased],” Margalit explained. “You need to be working with the biggest customers in the world.”

That place, in his mind, is New York City. It’s a city he has known since his youth – he worked at Moshe’s Moving IN NYC while attending Columbia as a grad student where he got his PhD in philosophy. Now, he can pack up his own success from Israel and scale it up to an even larger ecosystem.

Since its founding, JVP has successfully raised $1.1 billion across eight funds, including a $60 million fund specifically focused on the cybersecurity space. Over the same period, the firm has seen 32 successful exits, including cybersecurity companies CyberArk (IPO in 2014) and CyActive (Acquired by PayPal in 2013).

JVP’s efforts in the cybersecurity space also go beyond the investment process, with the firm recently establishing an incubator, known as JVP Cyber Labs, specifically focused on identifying, nurturing and building the next wave of Israeli cybersecurity and big data companies.

On average, the firm has focused on deals in the $5-$10 million range, with a general proclivity for earlier-stage companies where the firm can take a more hands-on mentorship role. Some of JVP’s notable active portfolio companies include Source Defense, which uses automation to protect against website supply chain attacks, ThetaRay, which uses big data to analyze threats, and Morphisec, which sells endpoint security solutions.

Opening up innovation with SOSA

The self-described “open-innovation platform,” SOSA is a global network of corporations, investors, and entrepreneurs that connects major institutions with innovative startups tackling core needs.

SOSA works closely with its partner startups, providing investor sourcing, hands-on mentorship and the physical resources needed to achieve growth. The group’s areas of expertise include cybersecurity, fintech, automation, energy, mobility, and logistics. Though headquartered in Tel Aviv, SOSA recently opened an innovation lab in New York, backed by major partners including HP, RBC, and Jefferies.

With the eight-floor Global Cyber Center located in Chelsea, it is turning its attention to an even more ambitious agenda. Uzi Scheffer, CEO of SOSA, said to TechCrunch in a statement that “The Global Cyber Center will serve as a center of gravity for the entire cybersecurity industry where they can meet, interact and connect to the finest talent from New York, the States, Israel and our entire global network.”


SOSA’s new building in Chelsea will be a center for the cybersecurity community (Photo from SOSA)


With an already established presence in New York, SOSA’s local network could help spur the local corporate participation key to the EDC’s plan, while SOSA’s broader global network can help achieve aspirations of turning New York City into a global cybersecurity leader.

It is no coincidence that both of the EDC’s venture partners are familiar with the Israeli cybersecurity ecosystem. Israel has long been viewed as a leader in cybersecurity innovation and policy, and has benefited from the same successful public-private sector coordination New York hopes to replicate.

Furthermore, while New York hopes to create organic growth within its own local ecosystem, the partnerships could also benefit the city if leading Israeli cybersecurity companies look to relocate due to the limited size of the Israeli market.

Big plans, big results?

While we spent comparatively less time discussing them, the NYCEDC’s educational programs are particularly interesting. Students will be able to take classes at any university in the five-member consortium, and transfer credits freely, a concept that the NYCEDC bills as “stackable certificates.”

Meanwhile, Facebook has partnered with the City University of New York to create a professional master’s degree program to train up a new class of cybersecurity leaders. The idea is to provide a pathway to a widely-respected credential without having to take too much time off of work. NYCEDC CEO Patchett said, ”you probably don’t have the time to take two years off to do a masters program,” and so the program’s flexibility should provide better access to more professionals.

Together, all of these disparate programs add up to a bold attempt to put New York City on the map for cybersecurity. Talent development, founder development, customer development – all have been addressed with capital and new initiatives.


Will the community show up at initiatives like the Global Cyber Center, pictured here? (Photo from SOSA)


Yet, despite the time that NYCEDC has spent to put all of these partners together cohesively under one initiative, the real challenge starts with getting the community to participate and build upon these nascent institutions. “What we hear from folks a lot of time,” Patchett said to us, is that “there is no community for cyber professionals in New York City.” Now the buildings have been placed, but the people need to walk through the front doors.

The city wants these programs to be self-sustaining as soon as possible. “In all cases, we don’t want to support these ecosystems forever,” Patchett said. “If we don’t think they’re financially sustainable, we haven’t done our job right.” He believes that “there should be a natural incentive to invest once the ecosystem is off the ground.”

As the world encounters an ever-increasing array of cyber threats, old empires can falter – and new empires can grow. Cybersecurity may well be one of the next great industries, and it may just provide the needed defenses to ensure that New York City’s other empires can live another day.


from: https://techcrunch.com/2018/10/02/nyc-wants-to-build-a-cyber-army/





St. Louis Fed VP: A Private Crypto Could Solve the ‘Triffin Dilemma’ – Replacing the US Dollar as World Reserve Currency

Triffin Dilemma refers to the conflicting interests between national and global monetary policy for a country whose currency is used as the world’s reserve.
(more on that below)


Cryptocurrencies could serve as a possible solution to disparities currently faced by the U.S. dollar, an economist with the Federal Reserve Bank of St. Louis said Tuesday.

During an hour-long question-and-answer session, the Federal Reserve Bank of St. Louis – one of 12 regional banks that make up the U.S. central banking system – answered questions on Twitter with economist David Andolfatto, who is a vice president in the bank’s research division.

During the session, one user asked whether cryptocurrencies can be used to solve the 50-year-old Triffin Dilemma, which refers to the conflicting interests between national and global monetary policy for a country whose currency is used as the world’s reserve.

Specifically, it refers to the U.S. dollar, which has been considered a world reserve currency for decades. In order to maintain this role, the U.S. must incur a trade deficit.

When posed the Triffin Dilemma question, Andolfatto responded:

“The Triffin Dilemma refers to the double-edged sword of possessing a currency that serves as the world reserve currency. If a private cryptocurrency were to replace a given world reserve currency, this would eliminate the dilemma for that currency.”

Other questions asked during the session ranged from whether Andolfatto thought a cryptocurrency could replace the U.S. dollar or whether the Federal Reserve is likely to ever consider monetary policy in terms of cryptocurrencies.

The economist demurred on both counts, noting that cryptocurrencies are essentially private monies, and therefore not something that would fall under the central bank’s purview.

Moreover, because there is “no need for decentralized consensus based record keeping” for the dollar, he does not see it being replaced with a cryptocurrency.

Andolfatto also does not see the demand for cryptocurrencies supplanting the demand for existing reserve currencies, he added.


from: https://www.coindesk.com/brazil-moves-to-probe-banks-after-crypto-exchanges-denied-services/



Robert Triffin

How The Triffin Dilemma Affects Currencies

By Brent Radcliffe | October 26, 2011


In October 1959, a Yale professor sat in front of Congress’ Joint Economic Committee and calmly announced that the Bretton Woods system was doomed. The dollar could not survive as the world’s reserve currency without requiring the United States to run ever-growing deficits. This dismal scientist was Belgium-born Robert Triffin, and he was right. The Bretton Woods system collapsed in 1971, and today the dollar’s role as the reserve currency has the United States running the largest current account deficit in the world.

For much of the 20th century, the U.S. dollar was the currency of choice. Central banks and investors alike bought dollars to hold as foreign exchange reserves, and with good reason. The U.S. had a stable political climate, did not experience the ravages of world wars like Europe had and had a steadily growing economy that was large enough to absorb shocks.

By “agreeing” to have its currency used as a reserve currency, a country pins its hands behind its back. In order to keep the global economy chugging along, it may have to inject large amounts of currency into circulation, driving up inflation at home. The more popular the reserve currency is relative to other currencies, the higher its exchange rate and the less competitive domestic exporting industries become. This causes a trade deficit for the currency-issuing country, but makes the world happy. If the reserve currency country instead decides to focus on domestic monetary policy by not issuing more currency then the world is unhappy. (To know more about the relationship between trade and currency, read: Global Trade And The Currency Market. )

Reserve Currency Paradox
Becoming a reserve currency presents countries with a paradox. They want the “interest-free” loan generated by selling currency to foreign governments, and the ability to raise capital quickly, because of high demand for reserve currency-denominated bonds. At the same time they want to be able to use capital and monetary policy to ensure that domestic industries are competitive in the world market, and to make sure that the domestic economy is healthy and not running large trade deficits. Unfortunately, both of these ideas – cheap sources of capital and positive trade balances – can’t really happen at the same time.

This is the Triffin dilemma, named after Robert Triffin, an economist who wrote of the impending doom of the Bretton Woods system in his 1960 book “Gold and the Dollar Crisis: The Future of Convertibility.” He pointed out that the years of pumping dollars into the world economy through post-war programs, such as the Marshall Plan, was making it increasingly difficult to stick to the gold standard. In order to maintain the standard, the country had to both instill international confidence by having a current account surplus while also having a current account deficit by providing immediate access to gold.

Issuing a reserve currency means that monetary policy is no longer a domestic-only issue – it’s international. Governments have to balance the desire to keep unemployment low and economic growth steady with its responsibility to make monetary decisions that will benefit other countries. The reserve currency status is, thus, a threat to national sovereignty.

Another Reserve Currency
What would happen if another currency, such as China’s yuan, were to become the world’s reserve currency of choice? The dollar would likely depreciate relative to other currencies, which could boost exports and lower the trade deficit. The bigger issue, however, would be an increase in borrowing costs as demand for a constant flow of dollars tapered off, which could have a severe impact on the ability of the U.S. to repay its debt or fund domestic programs. China, on the other hand, will have to quickly modernize a financial system, long lamented for protecting its export-led industries, through currency manipulation. Demand for yuan convertibility means that China’s central bank would have to relax regulations relating to yuan-denominated bonds.

There is another possibility for reducing the pressures countries face trying to maintain reserve currency status: a new international monetary system. This isn’t a new idea, having been floated for several decades as a potential solution. One possibility is the special drawing right, type of reserve asset maintained by a global institution, such as the International Monetary Fund (IMF). While this is not a currency, it does represent a claim by other countries on foreign exchange assets. A more radical idea would be to create a global currency, a concept pushed by John Maynard Keynes, with a value based on gold or based on the mechanizations of a global central bank. This is probably the more complex solution available, and does present problems relating to sovereignty, stability and administration. After all, how can you hold an organization accountable that is voluntary? (To gain more knowledge about IMF, check out: An Introduction To The International Monetary Fund (IMF).

The Bottom Line
In the short-term, the prospect of a reserve currency replacing the dollar is slim to none. Despite the economic and political problems facing the United States its “safe haven” status is hard to beat, especially in light of the plight of the euro. It is hard to parse out what exactly would happen if the dollar were to be overtaken by another currency, and it is equally difficult to predict what budgetary and austerity measures in Europe and the United States will do to the global economy in the coming years.


from: https://www.investopedia.com/financial-edge/1011/how-the-triffin-dilemma-affects-currencies.aspx

TUTORIAL: The US Federal Reserve: Introduction




IBM Wins Patent for Blockchain-Based Network Security System

A new patent awarded to tech giant IBM highlights how blockchain tech might play a role in monitoring security breaches within computer networks.

First filed in September 2017 and awarded Tuesday by the U.S. Patent and Trademark Office (USPTO), the patent outlines how a network of monitors connected to a blockchain platform can log events on the network, including potential intrusions. While attackers may try to hide signs of their work on one monitor, having multiple backups of that information will help ensure that such events are still logged, according to IBM.

“On a computer system or network, data may be monitored for many different purposes. Data monitoring may identify problems, observe conditions or track metrics by logging the events of a given computer system or network,” the patent states. Securing such data is critical for a company.

To that end, Big Blue notes that companies may set up a system of devices to monitor attempted intrusions on the distributed network, using node consensus to flag any irregularities.

The patent explains:

“Having synchronized monitors set up in a blockchain configuration ensures consensus among the monitors. Since one monitor alone cannot alter the event log in the past or cannot fake the event log in the future, if one monitor is hacked, then there may be no consensus among the synchronized monitors and the event may not get written into the log.”

The sensors allow consensus by passing the same information to more than one monitor. When monitors are validating information, if data for an event or transaction does not match, then one monitor may have been compromised.

In such an event, this “may alert the monitor security program of inconsistent data,” which in turn warns the system administrators that there is an issue.

Using blockchain technology to highlight irregularities in this way, would therefore “create a less vulnerable network” according to IBM.


from: https://www.coindesk.com/ibm-wins-patent-for-blockchain-based-network-security-system/



‘Bitcoin Bug’ Exploited on Crypto Fork as Attacker Prints 235 Million Pigeoncoins ($15,000)

Better use the original … and keep patching promptly.


A severe bug discovered just weeks ago in bitcoin’s code has been exploited – albeit on a lesser-known cryptocurrency.

The developers behind the pigeoncoin cryptocurrency confirmed the exploit to CoinDesk on Tuesday, reporting that an unknown attacker successfully took advantage of the bug on September 26th, showcasing in the wild how it could have been used on bitcoin by printing 235 million coins worth about $15,000.

That’s because while the severe inflation bug was patched on bitcoin, other coins that have borrowed bitcoin’s public code over the years are still vulnerable (if they haven’t corrected their code). If exploited, the bug gives an attacker the ability to print as many coins as they want, going even above the hard-coded limitations on supply cryptocurrencies often have and decreasing the value of all the other coins investors hold.

Set apart by its X16r mining algorithm, pigeoncoin is not exactly a big cryptocurrency, not even ranking in the top 1,000 in terms of how valuable it is compared to others on CoinMarketCap. Still, the attack may be no less impactful on its efforts to use a blockchain to “end abusive data collection.”

With a total supply of 970 million pigeoncoins, the attacker was able to print an amount equal to one-fourth of all publicly traded pigeoncoins, prompting one of the only exchanges to support the currency, CryptoBridge, to temporarily suspend trading while developers moved to enact a fix.

After the inflation was detected, developers of the coin quickly released a software fix borrowing from the code bitcoin developers put out a couple of weeks ago. “Pools and exchanges must upgrade immediately to resolve a double-spend exploit derived from bitcoin source,” the notes for the fix explain.

But while users might not particularly care about what happens to the little-known coin, the exploit has wider implications for the cryptocurrency world.

Cryptocurrency developer Scott Roberts argued that the main takeaway from this event is that the bitcoin bug was really as bad as it sounded:

“Mainly it’s just nice to know for sure by this example that coins in the wild were really vulnerable. It was not just some vague theoretical problem.”

What’s next

Now the bug is fixed, observers are wondering what the attacker will do and whether he or she will successful be able to trade their gains for fiat money. In order to do so, the attacker most likely will need to convert their pigeoncoin into another cryptocurrency that’s more widely accepted.

“Many of us are now waiting to see what happens with the hacked coins and if there’s going to be a dump soon,” pigeoncoin developer Michael Oates told CoinDesk.

The community is following the events closely in the pigeoncoin Discord chat channel. “My guess is the funds won’t move for a few days. It would be stupid to try and move them all at once,” Oates added on Discord.

The other big concern is, if pigeoncoin was attacked, what about other coins that have cloned bitcoin’s code?

“It would be interesting to see how many coins suffered an attack due to [the] bug,” Roberts told CoinDesk, adding that pigeoncoin is the only one he knows has been exploited so far.

Still, Roberts added that many cryptocurrencies, such as bitcoin gold and litecoin, have now upgraded, so hopefully the same attack won’t be executed on other coins.

He concluded:

“It looks like most coins have already updated, so it’s not likely to be a problem.”


from: https://www.coindesk.com/bitcoin-bug-exploited-on-crypto-fork-as-attacker-prints-235-million-pigeoncoins/




Two of Blockchain’s Biggest Consortiums Just Joined Forces: Hyperledger & Enterprise Ethereum Alliance (EEA)

Hyperledger’s Executive Director Brian Behlendorf

This move is further watering down what “Blockchain” really is and means;
both mostly work on “permissioned” systems: an oyxmoron to Blockchain – TJACK


Seismic shifts are happening in the world of enterprise blockchain.

Announced Monday, the Hyperledger Project and the Enterprise Ethereum Alliance (EEA) have agreed to collaborate on bringing common standards to the blockchain space and cross-pollinate a wider open-source community.

This joining of forces is notable as EEA and Hyperledger represent two of the three largest and arguably most influential enterprise blockchain communities, the third being the R3 Corda ecosystem.

If the team-up succeeds in creating common standards between the two platforms, it could sway enterprises previously on the fence to build their blockchains on one or the other, since the risk of creating new silos that don’t talk to other systems is being addressed.

As EEA executive director Ron Resnick told CoinDesk:

“The enterprises of the world are going to want to purchase solutions where they have a choice of multiple vendors.”

Further, for Hyperledger’s 270 member organizations, there is now the promise of interacting with tokens and smart contracts on the ethereum public chain.

Stepping back, Hyperledger was founded as an umbrella organization – cast in the image of the Linux Foundation – for open source blockchain development, comprising a number of protocols designed specifically for enterprises. Meanwhile, the 500-member EEA is a standards organization looking to build private or permissioned businesses applications on the foundations of the public ethereum blockchain.

But over time, there has been growing support for ethereum within Hyperledger. Formalizing that convergence, the new alliance “will enable Hyperledger developers to write code that conforms to the EEA specification and certify them through EEA certification testing programs expected to launch in the second half of 2019,” the organizations said in a blog post published Monday.

Brian Behlendorf, Hyperledger’s executive director, told CoinDesk that the EEA’s work on standards and attempt to align a whole universe of different vendors into a common enterprise picture is very complementary to Hyperledger.

“It’s a two-way street. There’s not a lot of groups effectively doing standards in the blockchain space today and EEA has a head start there. What can we contribute to that momentum?” said Behlendorf.

He said both groups can now work on a reference implementation (a software standard from which all other implementations and corresponding customizations are derived). “We think that doing that as a project or a lab at Hyperledger would be interesting,” he said.

Building bridges

Illustrating how the Hyperledger community had already been moving in an ethereum-friendly direction: earlier this year Sawtooth (a codebase contributed to Hyperledger by Intel) added support for the ethereum virtual machine (EVM) as a transaction processor. This made it possible to bring smart contracts developed for the public ethereum blockchain over to Sawtooth-based networks.

That effort, dubbed “Seth,” is now in active use, and gathering some momentum. Sawtooth proponent Dan Middleton was recently elected chairman of Hyperledger’s technical steering committee and Seth awaits “conformance testing to the EEA specification as soon as possible,” according to the joint statement by Hyperledger and EEA.

Meanwhile, EVM work is also now underway with Fabric, arguably Hyperledger’s flagship protocol.

This work, which will start to really come to the fore in Fabric 1.3, aims to allow users to run ethereum smart contracts and also be able to have ERC-20 and ERC-721 (the standards that gave rise to ICOs and CryptoKitties, respectively) as the token model on Fabric, as currently is the case on Sawtooth.

Behlendorf said he keeps an open mind about how these architectures might evolve. “I think in the long term the benefits of one accrue to the other,” he said in reference to Sawtooth and Fabric. “Whether that means they and other frameworks will merge together or specialize, it’s still an open book.”

Working on common standards and building bridges between communities would seem to pave the way to some future state of interoperability – an often talked-of ideal in the blockchain world.

“I do think that interoperability between ledgers will happen at a much higher level in the stack than most people expect,” explained Behlendorf. In other words, building common standards and data formats, rather than monkeying with complex consensus protocols, will link use cases in a multi-chain universe.

As well as the working with the EVM, Hyperledger developers also want to keep a close eye on decisions being taken within the ethereum community around using WebAssembly, a coding standard for web pages, to potentially make the next generation of the public blockchain protocol more JavaScript-orientated.

“We are tracking this very closely in Burrow [a third Hyperledger implementation] and in Sawtooth and would like to be there as soon as they make that call,” said Behlendorf.

R3’s a crowd?

All this talk of collaboration and mutual benefit might have you imagining the whole enterprise blockchain community gathered around a campfire singing “Kumbaya,” but make no mistake: this is still a fiercely competitive field. And R3, which boasts more than 200 members and partners across multiple industries, clearly views EEA and Hyperledger as its competitors.

In a recent interview, R3 lead platform engineer Mike Hearn seemed to anticipate the announcement of an alliance between the EEA and Hyperledger, which he dismissed as more of “a marketing event rather than a major change to the way the platforms work.”

Behlendorf agreed that this joining of forces is, to an extent, about marketing, but not just to end-user organizations and the vendor community – marketing to developers.

“This is about letting developers know where our organizations are,” he explained. “It’s about where the industry is going and where you may want to contribute to that momentum, to benefit from it; if you want to be tribal and fight against it, that’s your choice as well.”

Whatever you want to call it, in terms of strategy, a strong alliance between the EEA and Hyperledger would seem to put them on one side and R3 on the other.

Even so, R3 is definitely invited to the party, said Resnick. “I already asked them to join us. Will they agree? That might be a different story.”

However, Resnick said R3 is different from Hyperedger or EEA in that “they are not really open source,” making the distinction between open source and “open-core,” where open source software is centered around a single vendor.

“With a proprietary solution such as R3’s, you’ve got to buy stuff from them. That’s not what we are about and it’s not what Hyperledger is about,” said Resnick, concluding:

“The question is, are they going to last?”


from: https://www.coindesk.com/




Tim Berners-Lee Introduces New Open Source Project Allowing Individual Data Storage Choices and Control: SOLID by Inrupt Inc


One Small Step for the Web…

I’ve always believed the web is for everyone. That’s why I and others fight fiercely to protect it. The changes we’ve managed to bring have created a better and more connected world. But for all the good we’ve achieved, the web has evolved into an engine of inequity and division; swayed by powerful forces who use it for their own agendas.

Today, I believe we’ve reached a critical tipping point, and that powerful change for the better is possible — and necessary.

This is why I have, over recent years, been working with a few people at MIT and elsewhere to develop Solid, an open-source project to restore the power and agency of individuals on the web.

Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way.

Solid is a platform, built using the existing web. It gives every user a choice about where data is stored, which specific people and groups can access select elements, and which apps you use. It allows you, your family and colleagues, to link and share data with anyone. It allows people to look at the same data with different apps at the same time.

Solid unleashes incredible opportunities for creativity, problem-solving and commerce. It will empower individuals, developers and businesses with entirely new ways to conceive, build and find innovative, trusted and beneficial applications and services. I see multiple market possibilities, including Solid apps and Solid data storage.

Data should empower you

Solid is guided by the principle of “personal empowerment through data” which we believe is fundamental to the success of the next era of the web. We believe data should empower each of us.

Imagine if all your current apps talked to each other, collaborating and conceiving ways to enrich and streamline your personal life and business objectives? That’s the kind of innovation, intelligence and creativity Solid apps will generate.

With Solid, you will have far more personal agency over data — you decide which apps can access it.

Injecting momentum

In 2009, I said, “The web as I envisaged it we have not seen yet.” That was because people were using the web just for documents, not for the data of a big web-wide computer. Since then, we have seen a wave of open data, but not of read-write data. For example, much open government data is produced through a one-way pipeline, so we can only view it. With Solid, it becomes a read-write web where users can interact and innovate, collaborate and share.

Meanwhile though, there is a wave of concern, and related energy, desperate for change. People want to have a web they can trust. People want apps that help them do what they want and need to do — without spying on them. Apps that don’t have an ulterior motive of distracting them with propositions to buy this or that. People will pay for this kind of quality and assurance. For example, today people pay for storage in places like Dropbox. There is a need for Solid, and the different, beneficial approach it will provide.

It is going to take a lot of effort to build the new Solid platform and drive broad adoption but I think we have enough energy to take the world to a new tipping point.

So I have taken a sabbatical from MIT, reduced my day-to-day involvement with the World Wide Web Consortium (W3C) and founded a company called inrupt where I will be guiding the next stage of the web in a very direct way. Inrupt will be the infrastructure allowing Solid to flourish. Its mission is to provide commercial energy and an ecosystem to help protect the integrity and quality of the new web built on Solid.

There are many examples of open-source efforts that have benefited hugely from the contribution of a well-resourced company. While the open-source community provides initiative and a deep source of innovation, everyday web users as well as businesses often look for applications and services from a commercial entity that also provides technical support and vital, ancillary business services.

I believe this same model will be critical to the success of Solid. Inrupt’s success is totally aligned to Solid’s success. My partner and inrupt co-founder is John Bruce, an experienced business leader with the skills to execute on my vision for Solid. We share the same passion for creating a better and more balanced web.

Together, Solid and inrupt will provide new experiences benefitting every web user — and that are impossible on the web today. Where individuals, developers and businesses create and find innovative, life- and business-enriching, applications and services. Where we all find trusted services for storing, securing and managing personal data.

I’m incredibly optimistic for this next era of the web.

I’ll still be acting as Founder and Director of W3C, the Web Foundation and the Open Data Institute as these are vital components for protecting what has been — and what will come. Inrupt, a W3C member, uses many existing standards and is part of the standards-building community. The Web Foundation advocates for data rights as part of its mission to advance a free and open web that benefits humanity. And the Open Data Institute’s drive to make data as open as possible while respecting privacy is very relevant. I wear many hats and when I’m working in each capacity, I’ll always try to act according to the interests of that organization.

These are very exciting times. I will be committed to steering the direction of Solid, and developing its future governance. Inrupt will do many things: its first priority will be the Solid ecosystem. With the right values and a foundational corporate infrastructure, we will build beneficial systems that work for everyone.

The future is still so much bigger than the past.

Follow our work here at inrupt and Solid

Read inrupt’s CEO’s blog post: “A New World of Opportunity”

Follow inrupt on Twitter

Questions? Email: info@inrupt.com

from: https://medium.com/@timberners_lee/one-small-step-for-the-web-87f92217d085

see also: https://solid.inrupt.com/docs




Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.


A new botnet which specializes in the compromise of Internet of Things (IoT) devices has been discovered which contains unprecedented levels of sophistication.

The botnet, dubbed Torii, is a cut above both the Mirai and QBot variants, according to researchers from Avast, as it possesses sophistication “a level above anything we have seen before.”

First discovered by a security researcher that goes under the Twitter handle VessOnSecurity, a strain of Torii was detected after hitting one of the researcher’s honeypots.



“The script is quite sophisticated, unlike the usual Mirai crap,” Vess tweeted. “The author is not your average script kiddie Mirai modder.”

Avast’s examination of the botnet revealed that Torii has likely been developed by someone with a thorough understanding of how botnets operate, rather than taking the bolt-on approach we have seen through recent Mirai variants, made possible after the public release of the IoT botnet’s source code in 2016.

The security firm says that Torii differs not only in terms of sophistication but also the variety of “advanced techniques” it uses.

“[Torii] comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication,” Avast says.

The botnet, believed to have been in operation since 2017, also has targeting capabilities not often seen in botnet variants. The system is able to infect architectures including MIPS, ARM, x86, x64, PowerPC, and SuperH, among others.

The discovery of the botnet was based on Telnet attacks emerging from Tor exit nodes. The botnet is able to take advantage of the use of weak credentials in IoT devices to compromise systems before executing a shell script which attempts to detect the architecture of a target device, before downloading an appropriate malware payload.

Torii will utilize a variety of commands, “wget”, “ftpget”, “ftp”, “busybox wget,” or “busybox ftpget,” to ensure payload delivery.

If binaries cannot be downloaded via HTTP, the botnet will use the FTP protocol. In the latter case, the botnet will use credentials embedded in the shell script to connect to an FTP server via an IP which is still active at the time of writing.

The binaries are droppers for the second payload, both of which are persistent.

Torii uses at least six methods to maintain persistence on a compromised device and runs all of them at the same time:

  • Automatic execution via injected code into ~\.bashrc
  • Automatic execution via “@reboot” clause in crontab
  • Automatic execution as a “System Daemon” service via systemd
  • Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
  • Automatic execution via modification of the SELinux Policy Management
  • Automatic execution via /etc/inittab

The second-stage payload then executes. This is the main botnet which is able to connect to the operator’s command-and-control (C2) server — of which at least three addresses are in operation — exfiltrate data, encrypt communication, and utilize anti-debugging techniques.

Torii communicates with its C2 via TCP port 443, however, Avast considers this “as a deception” as the TLS protocol is not in use. Rather, the botnet “takes advantage of [the] common use of this port for HTTPS traffic.”

The botnet is sophisticated, but despite potentially being active since last year, does not behave like a standard botnet involved in Distributed Denial-of-Service (DDoS) attacks or cryptojacking, and its overall purpose is still a mystery.

At the time of discovery, VirusTotal did not flag up two of the botnet’s executables as malicious. However, at the time of writing, 19 antivirus engines now detect one of the files, whereas another is only detected by five engines.


from: https://www.zdnet.com/article/meet-torii-a-new-iot-botnet-far-more-sophisticated-than-mirai/


Torii botnet – Not another Mirai variant

New, more sophisticated IoT botnet targets a wide range of devices



2018 has been a year where the Mirai and QBot variants just keep coming. Any script kiddie now can use the Mirai source code, make a few changes, give it a new Japanese-sounding name, and then release it as a new botnet.

Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.

Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.

Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.

Furthermore, Torii can infect a wide range of devices and it provides support for a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and others. Definitely, one of the largest sets we’ve seen so far.

As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer.

We would like to give credit to @VessOnSecurity, who actually tweeted about a sample of this strain hitting his telnet honeypot last week.

According to this security researcher, telnet attacks have been coming to his honeypot from Tor exit nodes, so we decided to name this botnet strain “Torii”.

In this post, we will describe what we know about this strain so far, how it is spreading, what are its stages, and we will depict some of its features.

The analysis is still ongoing and further findings will be included in blog post updates.


Now, let’s start with the infection vector.

Analysis of the initial shell script

The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script. This script looks quite different from typical scripts that IoT malware uses in that it is far more sophisticated.

The script initially tries to discover the architecture of the targeted device and then attempts to download the appropriate payload for that device.The list of architectures that Torii supports is quite impressive: including devices based on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC – with various bit-width and endianness. This allows Torii to infect a wide range of devices running on these very common architectures.


The malware uses several commands to download binary payloads by executing the following commands: “wget”, “ftpget”, “ftp”, “busybox wget”, or “busybox ftpget”. It uses multiple commands to maximize the likelihood that it can deliver the payload.

If  the binaries cannot be downloaded via the HTTP protocol with “wget”  or “busybox wget” commands, it will use FTP.  When the FTP protocol is being used, it requires authentication. Credentials are nicely provided in the script:

Username:     u="<redacted>"
Password:      p="<redacted>"

Port for FTP:  po=404
IP of the FTP/HTTP server: (This IP is still alive at the time of writing this post.)

By connecting to the FTP server, there is quite a lot going on:


Full torii directory structure:


Among other things, the server contains logs from the NGINX and FTP servers, payload samples, a bash script that directs the infected devices to this very machine where the malware is hosted, and more. We’ll discuss what we found in these logs at the end of this post, but first let’s take a look at all the samples that are hosted there.

Analysis of the 1st stage payload (dropper)

Once the script determines which architecture the target device it is running on, it downloads and executes the appropriate binary from the server. All of these binary files are in the ELF file format. While analyzing these payloads, we found that they are all very similar and are “just” droppers of the second stage payload. What is notable is that they use several methods to make the second stage persistent on the target device. Let’s look deeper into the details below.

For our description, we’ll focus on the x86 sample with the SHA256 hash:


String Obfuscation

First we tried to de-obfuscate the sample, so we delved into some of the text strings to look for clues on how the malware works. The vast majority of text strings in the 1st and 2nd stage are encrypted by a simple XOR-based encryption and they are decrypted during runtime when a particular string is needed. You can use the following IDA Python script for decryption:

sea = ScreenEA()
max_size = 0xFF
for i in range(0x00, max_size):
   b = Byte(sea+i)
   decoded_byte = (b ^ (0xFEBCEADE >> 8 * (i % 4))) & 0xFF;
   if b == 0x00 or decoded_byte == 0x00:


e.g. F1 9A CE 91  BD C5 CF 9B B2 8C 93 9B A6 8F BC 00 → ‘/proc/self/exe’

Install 2nd Stage ELF File

The core functionality of the first stage is to install another ELF file, the second stage executable, which is contained within the first ELF file.

The file is installed into a pseudo-random location that is generated by combining a predefined location from a fixed list:

  • “/usr/bin”
  • “/usr/lib”
  • “/system/xbin”
  • “/dev”
  • “/var/tmp”
  • “/tmp”

and a filename from another list:

  • “setenvi“
  • “bridged“
  • “swapper“
  • “natd“
  • “lftpd“
  • “initenv“
  • “unix_upstart“
  • “mntctrd“
  • etc.

Putting these two items together creates the destination file path.

Make the 2nd Stage Persistent

Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence. It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

    1. Automatic execution via injected code into ~\.bashrc
    2. Automatic execution via “@reboot” clause in crontab
    3. Automatic execution as a “System Daemon” service via systemd
    4. Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
    5. Automatic execution via modification of the SELinux Policy Management
    6. Automatic execution via /etc/inittab

And, finally, it executes the dropped inner ELF –  the second stage payload.

Analysis of the 2nd stage payload (bot)

The second stage payload is a full-fledged bot capable of executing commands from its master (CnC).  It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc.

Furthermore, many functions found in the second stage are the same as in the first, making it  highly likely they are both created by the same author(s).

The code inside of the first stage payload is almost identical in all the versions. This is however not true in the case of the second stage where we find differences among the binaries for various hardware architectures. To describe the core functionality that can be found in most of the versions, we will once again take a look on x86 code found in the sample with SHA256 hash:  5c74bd2e20ef97e39e3c027f130c62f0cfdd6f6e008250b3c5c35ff9647f2abe.

Anti-Analysis Methods

The anti-analysis methods in this malware are not as advanced as we are accustomed to seeing in Windows or mobile malware, but they are improving.

  • It uses the simple anti-analysis method of a 60 seconds sleep() after execution, which probably tries to circumvent simple sandboxes.
  • Furthermore, it tries to randomize the process name via prctl(PR_SET_NAME) call to something like “\[[a-z]{12,17}\]” (regular expression) in order to avoid detection of blacklisted process names.
  • Finally, the authors are trying to make the analysis harder by stripping the symbols from executables. When we first downloaded the samples from the aforementioned server, they all contained symbols, which made their analysis easier. It is interesting to note that a few days later these files were replaced by their stripped versions. No other differences were found between these two versions, leading us to believe that the authors are taking continual action to further protect their executables against analysis.

CnC Servers

As we already said, this component is a bot that communicates with a master CnC server. The addresses of the CnCs are once again encrypted by the aforementioned XOR-based cipher. It seems that each Torii version contains 3 CnC addresses. The campaign that is currently running tries to get commands from CnC servers running at:

  • top.haletteompson.com
  • cloud.tillywirtz.com
  • trade.andrewabendroth.com

It tries to communicate with the first domain from the list and moves to the next one if it fails. In the case of failure, it also tries to resolve the domain name via Google DNS


Resolving CnC domain name


These three domain names have resolved to IP since September 15, 2018. Some other domains hosted on the same IP are also quite suspicious:


That so many strange looking domains are hosted at one IP address raises concern. Furthermore, the CnC domain names resolved to a different IP address ( before that.


(History of resolving DNS names hardcoded in the sample)


Some more digging turned up another set of ELF samples belonging to Torii with three different CnC addresses:

  • press.eonhep.com
  • editor.akotae.com
  • web.reeglais.com

They all resolved to the same IP ( in the past and, for example “press.eonhep.com” was using this IP since December 8, 2017. Therefore, we think that this strain has been in existence since at least December 2017 and quite possibly longer.

CnC Communication

The second stage communicates with these CnC servers via TCP port 443 as well as further encryption layers. It is interesting to note that it uses port 443 as a deception, as it doesn’t communicate using TLS but takes advantage of common use of this port for HTTPS traffic. Each message (including replies) forms a structure we call a “message envelope” and each envelope is AES-128 encrypted and there is a MD5 checksum of the content to ensure it hasn’t been modified or corrupted. Furthermore, each envelope contains a stream of messages where each message is encrypted by a simple XOR-based encryption, which is different than the one used to obfuscate the strings. It isn’t as strong as it looks as the decryption keys are included in the communication.


Algorithm used for encryption of CnC messages


Torii also exfiltrates the following information while connecting to a CnC server:

  • Hostname
  • Process ID
  • Path to second stage executable
  • All MAC addresses found in /sys/class/net/%interface_name%/address + its MD5 hash – this forms some kind of unique victim ID, allowing the bad actor to fingerprint and catalog devices more easily. It is also stored in local files with strange names such as GfmVZfJKWnCheFxEVAzvAMiZZGjfFoumtiJtntFkiJTmoSsLtSIvEtufBgkgugUOogJebQojzhYNaqyVKJqRcnWDtJlNPIdeOMKP, VFgKRiHQQcLhUZfvuRUqPKCtcrjmhtKcYQorAWhqAuZuWfQqymGnWiiZAsljnyNlocePAOHaKHvGoNXMZfByomZqEMbtkOEzQkQq, XAgHrWKSKyJktzLCMcEqYqfoeUBtgodeOjLgfvArTLeOkPSyRxqrpvFWRhRYvVcLeNtMKTdgFhwrypsRoIiDeObVxTTuOVfSkzgx, etc.
  • Details found by uname() call, including sysname, version, release, and machine.
  • Outputs of the following commands designed to gain yet more information on the target device:

id 2>/dev/null
uname -a 2>/dev/null
whoami 2>/dev/null
cat /proc/cpuinfo 2>/dev/null
cat /proc/meminfo 2>/dev/null
cat /proc/version 2>/dev/null
cat /proc/partitions 2>/dev/null
cat /etc/*release /etc/issue  2>/dev/null

CnC Commands

While analyzing the code, we’ve found that the bot component is communicating with the CnC with active polling in an endless loop, always asking its CnC whether there are any commands to execute. After receiving a command, it replies with the results of the command execution. Each message envelope has a value specifying which type of command it brings. The same value is used for reply. We have uncovered the following command types:


  • 0xBB32 Store a file from CnC to a local drive:
    • Receive:
      1. Filepath where to store content from CnC
      2. Content
      3. MD5 checksum of content
    • Reply:
      1. File path where the file was stored
      2. Error code
  • 0xA16D Receive value of timeout to be used for CnC polling:
    • Receive:
      1. DWORD with number of minutes to sleep between CnC contacts
    • Reply:
      1. Message with code 66


  • 0xAE35 Execute a given command in a desired shell interpreter and send outputs back to CnC:
    • Receive:
      1. Command to execute in shell (sh -c “exec COMMAND”)
      2. WORD with execution timeout in seconds (max 60 seconds)
      3. String with a path to shell interpreter (optional)
    • Reply:
      1. String with outputs (stdout + stderr) of command execution
  • 0xA863 Store a file from CnC to a given path, change its flags to “rwxr-xr-x” to make it executable and then execute it:
    • Receive:
      1. File path where to store content from CnC
      2. Content
      3. MD5 checksum of content
    • Reply:
      1. File path where the file was stored
      2. Return code from execution of that file
  • 0xE04B – Check that the given file exists on a local system and return its size:
    • Receive:
      1. Filepath to check
    • Reply:
      1. File path
      2. File size
  • 0xF28C Read N bytes from offset O of selected file F and send them to CnC:
    • Receive:
      1. File path to file (F) to read from
      2. QWORD offset (O) where to start reading
      3. DWORD number (N) of bytes to read
    • Reply:
      1. File content
      2. Offset
      3. Size of bytes read
      4. MD5 checksum of read content
  • 0xDEB7 Delete a specified file
    • Receive:
      1. Name of a file to delete
    • Reply:
      1. Error code
  • 0xC221 Download a file from the given URL
    • Receive:
      1. Path where to a store file
      2. URL
    • Reply:
      1. File path
      2. URL
  • 0xF76F – Get address of a new CnC server and start communication with it.
    • Receive:
      1. ?
      2. New domain name
      3. New port
      4. ?
    • Reply:
      1. Repeat the received information
  • 0x5B77, 0x73BF, 0xEBF0, and probably other codes Some kind of communication to ping or get a heartbeat on the target device to ensure the communication partner that the communication channel is working):
    • Receive:
      1. Everything received is ignored
    • Reply:
      1. Repeat the received information

Analysis of the sm_packed_agent

While we were investigating the server, we found another interesting binary we managed to get from the FTP server that is called “sm_packed_agent”. We don’t have any evidence that is has been used on the server, but its versatility suggests that it could be used to send any remote command desired to the target device. It contains a GO-written application packed using UPX when unpacked, it has a few interesting strings that suggests it has server-like capabilities:



Underneath, it uses the following 3rd party libraries:Code Reuse


Possible name of source code:


Some of these libraries are abusing a BSD licence, which requires redistribution of copyright notice. Apparently Torii’s authors don’t care about copyright infringement.


The functionality of the sm_agent is as follows:

  • Takes one parameter on cmdline -p with port number
  • Initializes crypto, loads TLS and keys + cert
  • Creates server and listening for TLS connection
  • Awaits commands encoded in BSON format
  • Command handler inside knows these commands:
    • 1: Monitor_GO_agent__Agent_GetSystemInfo
    • 2: Monitor_GO_agent__Agent_GetPerformanceMetrics
    • 7: Monitor_GO_agent__Agent_ExecCmdWithTimeout
      this command seems to be able to run any arbitrary OS command read from BSON payload.

TLS encryption, certificates and keys:

  • Agent uses ChaCha20-Poly1305 stream cipher for TLS
  • Keys and certs in the same directory
  • Self signed certificate of authority ca.crt with name Mayola Mednick
  • client.crt issued by ca.crt for Dorothea Gladding
  • server.crt + server.key issued by ca.crt for Graham Tudisco

Certificates are self-signed and obviously using fake names.


This  script is to kill any previous instances of start sm_packed_agent and run it on TCP port 45709 and re-run it again in case it fails.


A script which runs and keeps running sm_packed_agent


It is not yet known how Torii authors are using this service, but it is incredibly versatile and could be used to run any command on the device. And because this application is written in GO, it can be easily recompiled to run on virtually any architecture. Taking into account that this file is running on a  malware distribution machine, it is quite possible that it is a backdoor or even a service to orchestrate multiple machines.

Analysis of Logs From the Server

Finally, we took a look at the logs we found for both the Nginx server and the FTP server. Such access log can help us understand how many clients actually were infected by Torii or tried to download it.

As we write this blog, Torii authors have already disabled FTP and Nginx logging (more on that below), but looking at the logs that are available, we can generate some simple statistics.

A total of 206 unique IPs connected to the server on September 7th, 8th, 19th, and 20th according to the logs on the server.

Access-2018-09-07.log – 54 unique IPs
Access-2018-09-08.log – 20
Access-2018-09-19.log – 189
Access-2018-09-20.log – 10

It looks like one IP connected to the server 1 056 393 times!

By looking into the logs, it seems that someone actually ran DirBuster-1.0-RC1, trying to figure out what is going on. Brute force DirBuster is used to guess directories/filenames on the web server and generates a large number of requests. It is quite unfortunate if this scan originated from a researcher as there are more elegant approaches in the case of a sophisticated malware like Torii.

By scanning the ports of IP, we can see that there are a few ports open:



On port 27655, there is an SSH banner which states:

“SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3” It looks like this box is running Raspbian.  If you are behind this, write us.

Other logs that are available to us are FTP server logs.

There are a few clients that connected and downloaded some files that are not on the FTP server anymore:

Sat Sep  8 08:31:24 2018 1 6 /media/veracrypt1/nginx/md/zing.txt b _ o r md ftp 0 * c

According to logs we were able to analyze, a total of 592 unique clients were downloading files from this server over a period of a few days. It’s important to remember that once the target device receives the payload, it stops connecting to the download server and connects to the CnC server. Therefore, we are likely seeing a snapshot of new devices that were recruited into this botnet over the period of time for which we have log files.

Additionally, there are 8 clients that were using both the HTTP server and the FTP server, which could be the case if downloading using HTTP failed for some reason, or if Torii authors were testing functionality of the bash script or a server set up

We cannot speculate about what we do not have evidence for, but this server could be just one of a number of servers infecting new target devices, and only further investigation will reveal the true scope of this botnet. Given the level of sophistication of the malware we researched, it would seem likely that it is designed to map and control a large number of diverse devices.


Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but  by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use. Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer.


from: https://blog.avast.com/new-torii-botnet-threat-research




Porsche Increases Investments in New Technologies With Focus on Blockchain and AI Startups

German automobile manufacturer Porsche AG will increase in its investments in startups — with a focus on blockchain and artificial intelligence (AI) — by around $176 million over the next five years, according to a company press release published September 25.

The increase in Porsche’s total investment in venture capital activities for next five years was prompted by the need to “gain access to trends, new technologies and business models,” the press release notes.

The investments will be aimed at “early and growth” stage businesses that relate to “customer experience, mobility and digital lifestyle,” as well as future technologies including blockchain, AI, and virtual and augmented reality.

Lutz Meschke, deputy chairman and member of the executive board for finance and IT at Porsche AG, noted that the company must “fundamentally change [their] business model” in order to see success in the future, adding:

“To date, innovation has been driven to a large degree by technology and with strong links to our current core competencies […] It is essential that we build a strong ecosystem with competent partners.”

Earlier this year, Porsche had begun exploring the use of blockchain applications in its vehicles in partnership with the the Berlin-based startup XAIN. In the Sept. 25 press release, Porsche notes that Porsche Ventures is already a minority shareholder in a firm that uses blockchain to manage vintage vehicles’ history.

In March, Daimler AG, a car manufacturing giant famous for its Mercedes-Benz and Smart brands, revealed it was testing its own blockchain-based digital currency, the MobiCoin, that would rewards drivers for environmentally-friendly driving habits.

Also in March, another German car manufacturer, Audi, had announced that it had been testing blockchain technology for its physical and financial distribution processing.


from: https://cointelegraph.com/news/porsche-increases-investments-in-new-technologies-with-focus-on-blockchain-and-ai-startups




By continuing to use this site, you agree to the use of cookies. Please consult the Privacy Policy page for details on data use. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.