Monthly Archives: December 2016

Human Factors in Cybersecurity

Humans are a centric focus in cybersecurity

Cybersecurity remains a top concern for businesses around the world. As an effort to combat cyber attacks and threats, businesses are continuously integrating technology without realizing that technological deterministic practices are detrimental and counterproductive. Cyber threats and vulnerabilities are evolving daily; however, some of the vulnerabilities are due to unintended consequences from integrating new technologies. Without a doubt, technology can aid in combatting cyber threats and mitigating vulnerabilities. One of the biggest anomalies in cybersecurity is neglecting the implications on humans.

Cybersecurity is a human problem not only in terms of strategy but also ensuring organizations are taking a human-centric approach to the cybersecurity. There are countless examples in cybersecurity when organizations forged ahead with technological integration rather than assessing the integration with a human-centric approach. Existential research on human factors in cybersecurity tends to focus primarily on human error rather than taking a comprehensive look at the problems. In fairness, the problem lies with the lack of scientific frameworks, concepts, and models regarding human-centric issues in cybersecurity.

An ongoing strategic initiative is the proliferation of Science of Security (SoS) and Science of Cyber Security (SoCS) by leveraging existing frameworks, models, and concepts from other domains to increase the scientific rigor of the sciences mentioned above. Industry, government, and academia are working feverishly to address hard problems in SoS and SoCS. It is imperative to align the need for scientific research on human factors in cybersecurity with the ongoing efforts of SoS and SoCS. Clearly, these strategic efforts are long-term; therefore, if businesses are looking for quicker solutions it is worth exploring how the aviation and nuclear power sectors utilize human factors to reduce human error, reduce automation and information overload, and increase focus on human cognitive abilities.

From a technical aspect, cybersecurity consists of a system of systems construct, also known as composability, which involves the interdependence and interconnection of complex systems with associated processes and a multitude of variables. The variables include (a) internal factors, (b) external factors, (c) threat factors, and (d) environmental factors. Aligned under each of the categories are a litany of attributes that constantly changes and affect humans. Ensuring humans remain a top priority in cybersecurity requires the CIO and CISO to articulate to C-Suite the significance of developing cybersecurity strategies that address human-centric requirements.

Another glaring issue is the lack of businesses that employ human factors professionals to evaluate their cybersecurity programs. In fact, the cybersecurity community needs to advocate for federal entities to add the Human Factors Specialty to the list of cybersecurity workforce roles. Cybersecurity varies between organizations, so the role of human factors experts is essential for entities with large and robust cybersecurity operations. Nonetheless, all companies can benefit from employing human factors specialists. Primarily, human factors professionals can assess the impact of cybersecurity operations on (a) human work roles, (b) human-centric weaknesses, (c) cyber training and awareness, (d) organizational climate, (e) systematic and organizational processes, (f) decision-making and (g) leadership are just to name a few.

Research recently revealed two phenomena in cybersecurity: security fatigue and alert anxiety. Both security fatigue and alert anxiety occur in cybersecurity due to cognitive overload stemming from information and automation overexertion that result in cyber professionals making human induced errors and poor decision-making. Human factors specialists can assist with developing processes for identifying security fatigue and alert anxiety. These two phenomena highlight the susceptibility of cyber professionals that are analogous to risks in other technical fields.

Employing human factors experts in cyber security requires executives allocating resources and working with industry, academia, and government to solidify the role of human factors professionals in cybersecurity. Until the integration of human factors professionals into cybersecurity, there will be a continuation of human induced errors, security fatigue, and alert anxiety. As a cybersecurity professional, I ask that you evaluate your operations and determine how a human factors expert can improve your efforts in preventing cyber-attacks and combatting cybersecurity threats.

Hacker Demonstrates How Easy In-flight Entertainment System Can Be Hacked

Next time when you hear an announcement in the flight, “Ladies and gentlemen, this is your captain speaking…,” the chances are that the announcement is coming from a hacker controlling your flight.

Dangerous vulnerabilities in an in-flight entertainment system used by the leading airlines, including Emirates, United, American Airlines, Virgin, and Qatar, could let hackers hijack several flight systems and even take control of the plane.

According to security researchers from IOActive, the security vulnerabilities resides in the Panasonic Avionics In-Flight Entertainment (IFE) system used in planes run by 13 major airlines, providing a gateway for hackers which is absolutely terrifying.

The security holes could be exploited by hackers that could allow them to spoof flight information like map routes, speed statistics, and altitude values, and steal credit card information.

IOActive’s Ruben Santamarta managed to “hijack” in-flight displays to change information like altitude and location, control the cabin lighting, as well as hack into the announcements system.

“Chained together this could be an unsettling experience for passengers,” said Santamarta. “I don’t believe these systems can resist solid attacks from skilled malicious actors. This only depends on the attacker’s determination and intentions, from a technical perspective it’s totally feasible.”

Besides these critical issues, the researcher said in some instances; hackers could access credit card details of passengers stored in the automatic payment system and use their frequent flyer membership details to capture personal data.

The vulnerabilities affect 13 different airlines that use Panasonic Avionics system, which include American Airlines, United, Virgin, Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France, Singapore, and Aerolineas Argentinas.

The vulnerabilities were reported to Panasonic in March last year, and the researcher waited more than a year and a half to go public, so the company had “enough time to produce and deploy patches, at least for the most prominent vulnerabilities.”

Emirates is working with Panasonic to resolve these issues and regularly update its systems. “The safety of our passengers and crew on board is a priority and will not be compromised,” Emirates said, reported the Telegraph.

Santamarta is the same researcher who warned of security issues in systems used by different aircraft in the past.

Back in 2014, he discovered that it was possible to reverse engineer a bug, which let him connect to the Wi-Fi signal or the in-flight entertainment system to connect to airplanes’ equipment, including the navigation system.

You also might recall back in 2015 the FBI detained Chris Roberts for possible computer crimes for attempting to hack into a in-flight entertainment system.  At that time one of the plane manufacturers had cast doubt on the hacking claims. Boeing said its entertainment systems are “isolated from flight and navigation systems.”  Well we now know Chris might have been correct that the systems are vulnerable to hacking just like any other computer system.

Yahoo Says 1 Billion User Accounts Were Hacked

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

The two attacks are the largest known security breaches of one company’s computer network.

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

It is unclear how many Yahoo users were affected by both attacks. The internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.

Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and series of spam attacks — a mass mailing of unwanted messages — the following year.

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.

In July, Yahoo agreed to sell its core business to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Mr. Lord said Yahoo had taken steps to strengthen Yahoo’s systems after the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo email and account.

In the hacking disclosed Wednesday, Mr. Lord said Yahoo believed an “unauthorized third party” managed to steal data from one billion Yahoo user accounts. Mr. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but that the company believed the attack occurred in August 2013.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company. “It’s not just one sophisticated adversary that gets in,” said Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”

Mr. Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.

GoldenEye Ransomware – A New Variant of Petya Ransomware

The creators of Petya ransomware, going by the name of Janus, have come out with a new variant tabbed as GoldenEye ransomware. Continuing with the James Bond theme, the GoldenEye ransomware is almost identical to past versions of Petya and Mischa variants.

Petya Ransomware History
The Petya ransomware emerged on the cybersecurity scene back in March 2016.   Typically, when a user becomes infected with ransomware, the malware targets and encrypts files on the victim’s hard drives. By doing this, the malware leaves the operating system working properly. However, Petya takes it to the next level. Instead of encrypting files on the hard drive, the ransomware encrypts portions of the hard drive itself, making the user unable to access anything on the drive, including Windows.

The ransomware is distributed via emails that target human resource departments. The emails contain a Dropbox link to supposed applications that download a file and when executed, install the Petya ransomware on the system.

In May, two months after the release of Petya, the ransomware bundled a second file-encrypting program for cases where it cannot replace a computer’s master boot record to encrypt its file table. Before encrypting the computer’s master file table (MFT), the ransomware replaces the computer’s master boot record (MBR), which contains a code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves the computer unable to boot.

However, in order to overwrite the MBR and the computer it infected, the malware needs to obtain administrator privileges. In previous versions of Petya, if it failed to obtain administrator privileges, the infection routine stopped. The latest variant, dubbed Mischa, installs another ransomware program that begins to encrypt users’ files directly, which doesn’t require administrator privileges.

In summary, Petya starts off by distributing the ransomware through an email posing as a job application. Once executed, the fake file attempts to download Petya, and if that fails, it installs Mischa. This dynamic duo ensures that the cybercriminals will encrypt your hard drive, leaving you unable to use your system until you have paid the ransom.

GoldenEye Ransomware
Like the earlier version of Petya, the GoldenEye ransomware is distributed via emails. Posing as job applications, the emails include two file attachments that are supposedly resumes and have a subject starting with the word Bewerbung. As you can see in the email below, GoldenEye is targeting German users.

One of the attachments is a fake resume that is used to convince members of the human resource department that the email is legitimate. The second attachment is an Excel spreadsheet, which is the installer for the GoldenEye ransomware that contains a malicious macro. In the spam emails that have been circulating over the past couple of days, the following Excel names have been observed to be spreading GoldenEye.

  • Wiebold-Brewerbung.xls
  • Meinel-Brewerbung.xls
  • Seidel-Brewerbung.xls
  • Wust-Brewerbung.xls
  • Born-Brewerbung.xls
  • Schlosser-Brewerbung.xls

When a user clicks on the ‘Enable Content’ button, the macro will launch and save the embedded file into an executable file in the temp folder. Once the file has finished being created, the malware will automatically launch, beginning the encryption process on the computer.

Here is where GoldenEye differs from the earlier combination of the Petya/Mischa version. Instead of running Petya first and trying to gain administrative privileges to overwrite the MBR and then running Mischa to encrypt files, GoldenEye does the opposite.

Starting just like any other ransomware, GoldenEye encrypts the user’s files and appends a random 8-character extension. This is the Mischa part of the ransomware. Shortly after displaying the ransom note, GoldenEye enters the Petya part of the encryption process. The ransomware forcibly reboots the user’s computer and enters the stage where it starts encrypting the user’s hard drive MFT which makes it impossible to access any files on the hard drive. This process is masked by a fake ‘check disk (chkdsk)’ screen as seen below.

Once this process ends, you will see a new ransom screen, using yellow-colored text hence the name ‘GoldenEye.’ The GoldenEye ransom note is shown below.

The GoldenEye ransomware has seen incredible numbers compared to the Locky ransomware, which has been one of the most successful ransomware to-date. Last Wednesday, (December 7, 2016) GoldenEye infected 160 users in Germany alone while Locky’s best day over the last month infected 375 users across 30 countries. The ransom for the encryption key is currently set at 1.33 bitcoins which equates to roughly $1,000.

What is blockchain?

blockchain

Blockchain is a term you see fairly much when browsing tech—and non-tech—sites these days. It is widely known as the technology that constitutes the infrastructure of Bitcoin (what’s bitcoin BTW?), a mysterious cryptocurrency created by a mysterious scientist in 2009. Some even confuse it as a synonym for bitcoin. But the reality is that blockchain is a disruptive technology that has the potential to transform a wide variety of business processes.

In this article, we will clarify what the blockchain is—and what it isn’t—what’s it’s relation to bitcoin, and what are its applications beyond the realm of cryptocurrencies.

What is blockchain anyway?

At its essence, the blockchain is a distributed ledger—or list—of all transactions across a peer-to-peer network. Put simply, you can think of blockchain as a data structure containing transactions that is shared and synced among nodes in a network (but in fact it gets much more complicated than that). Each node has a copy of the entire ledger and works with others to maintain its consistency.

Changes to the ledger are made through consensus among the participants. When someone wants to add a new record to the blockchain ledger, it has to be verified by the participants in the network, all of whom have a copy of the ledger. If a majority of the nodes agree that the transaction looks valid, it will be approved and will be inserted in a new “block” which will be appended to the ledger at all the locations where it is stored.

Along with the use of cryptography and digital signatures, this approach addresses the issue of security while obviating the need for a central authority.

Each new block can store one or more transactions and is tied to previous ones through digital signatures or hashes. Transactions are indefinitely stored and can’t be modified after they’ve been validated and committed to the ledger.

What makes blockchain unique?

Blockchain’s approach to dealing with transactions is a break from the usual centralized and broker-based model, in which a central server is responsible for processing and storing all transactions. And this is one of the key features that makes blockchain attractive. This creates fault tolerance, so there’s no single point of failure in the blockchain, while also providing security that is on par with what is being offered in the centralized paradigm.

This enables companies, entities and individuals to make and verify transactions instantaneously without relying on a central authority. This is especially useful in the finance industry where the transfer of money is usually tied to and controlled by clearing houses that maintain ledgers and take days to verify and execute a transaction, and collect considerable fees. The blockchain can verify and apply changes within milliseconds, and the costs are next to nothing. In the blockchain model, each bank in a network would have its own copy of the ledger and transactions would be verified and carried out through communications between banks, and within seconds. This will cut costs and increase efficiency.

Another unique feature of the blockchain is its immutability, i.e. it is nearly impossible to tamper with records previously stored in a blockchain. Each new block being tied to previous ones through cryptographic algorithms and calculations, which means slightest alteration in the blockchain will immediately disrupt and invalidate the entire chain. And with the ledger being replicated across many nodes, it becomes even harder to falsify transactions and the ledger’s history.

What are the applications of blockchain

Bitcoin was the first concrete application of blockchain. It was proposed in 2008 in a paper presented by a person—or a group of people, some say—called Satoshi Nakamato. Bitcoin uses blockchain to digitally send bitcoins—its namesake currency—between parties without the need for the interference of a third-party broker.

But bitcoin isn’t the only application of blockchain. The distributed ledger makes it easier to create cost-efficient business networks where virtually anything of value can be tracked and traded—without requiring a central point of control.

For instance, blockchain can be used to keep track of assets and goods as they move down the supply chain. Other industries such as stock exchange can make use of the blockchain mechanism to transfer ownership in a secure, peer-to-peer mechanism.

In the IoT industry, blockchain can help connect billions of devices in a secure way that won’t require centralized cloud servers. It can also be the backbone that will enable autonomous machines that will pay for buy and sell services from each other in the future.  (There has to be standards in place before they can be totally secured).

Other industries include retail, healthcare, gaming and many others.

Smart contracts will take the blockchain to the next level, enabling it to do more than just exchange information and get involved in more complex operations.

Different flavors of blockchain

Based on the specific needs of the application making use of blockchain, several of its characteristics might change. In fact, the different implementations of blockchain and different cryptocurrencies that are using it vary in different sectors.

Permission

Blockchains can be public or “permissionless,” such as the bitcoin blockchain, in which everyone can participate and add transactions. This is the model used by bitcoin. Other organizations are exploring the implementation of “permissioned” blockchains, in which the network is made up of known participants only. Security and authentication mechanisms vary in these different blockchains.

Anonymity

With ledgers being distributed among nodes, the level of anonymity is also a matter of importance. For instance, bitcoin does not require any personally identifiable information to send or receive payments on the blockchain. However, all transactions are recorded online for everyone to see, which lends a certain amount of transparency and makes total anonymity quite complicated. That’s why it’s known as pseudonymous.

Other implementations of blockchain, such as ZeroCoin, use other mechanisms (zero-knowledge proof) to enable verification without publishing transaction data.

Consensus

Consensus is the mechanism used by nodes in a blockchain to securely verify and validate transactions while maintaining the consistency and integrity of the ledger. The topic is a bit complicated, but the most prevalent form used is the “proof of work” consensus model used by bitcoin, in which nodes—called “miners”—spend computation cycles to run intensive hashing algorithms and prove the authenticity of the block they’re proposing to add. The PoW mechanism prevents DoS attacks and spam.

“Proof of stake” is another popular consensus model, in which nodes are required to prove ownership of certain amount of currency (their “stake”) to validate transactions.

This is just the beginning

Blockchain is a new way of communicating and transferring data. We still don’t know quite how it will evolve in the future, but what we do know is that it is bound to change quite a few things. A look at the figures presented in this Business Insider article proves why we can call it a disruptive technology.

I don’t know about you, but I’m excited about what blockchain surprises are waiting to be discovered down the horizon and will be exploring its uses more in the coming months.

 

Google accounts hit with malware — a million and growing

86 apps available in third-party maketplaces can root 74 percent of Android phones.

android-security-640x461
More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

Check Point said in a blog post that the attack campaign, known as Gooligan, is expanding to an additional 13,000 devices a day. It’s malware that infects devices and steals their authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs.

The malware attack is said to be the biggest single theft of Google accounts on record, according to Forbes. But the reason for the attack may not be what you’d expect. It’s not to grab personal information from the accounts of Google users. Instead, it’s to force them to download apps that are part of an advertising fraud scheme that makes up to $320,000 a month, Michael Shaulov, head of mobile and cloud security at Check Point, told Forbes.

Google responded to a request for comment with a link to its blog post about the attack. In the post, Google said it has found no evidence that Gooligan has accessed user data or that specific groups of people have been targeted. “The motivation…is to promote apps, not steal information,” Google said.

The episode comes at a time when cyber attacks have been a high profile problem, hitting everyone from internet giants to the Democratic National Committee. In September, Yahoo suffered what is believed to be the biggest cyber attack in history, in which hackers swiped information from more than half a billion accounts. And in July, the White House said it believed Russia was behind hacks of the DNC.

Gooligan belongs to a family of malware called Ghost Push. It features a Trojan horse type of attack, in which the malicious software poses as legitimate apps for Android smartphones and tablets. Names of the malicious apps include StopWatch, Perfect Cleaner and WiFi Enhancer, according to The Wall Street Journal. Once installed, these apps automatically install other apps, some of which can steal usernames and passwords to post fake reviews.

Those downloads and reviews apparently feed into the hackers’ ad fraud scheme. The hackers have run ads in those forcibly downloaded apps, so every click or download helps the hackers make money, Forbes reported.

Check Point said Gooligan is a variant of an Android malware campaign found by researchers in the SnapPea app last year.

The Gooligan apps come from third-party app stores or websites, instead of the Google Play store, where the company has more authorization over apps. But Check Point said some apps that Gooligan downloads without permission can be found on the Play store.

Google said it has removed those apps from the Play store.

People who are worried that their Google accounts may be compromised can consult the Check Point website.

Part 3: How do Bitcoin Transactions Work?

Bitcoin transactions are sent from and to electronic bitcoin wallets, and are digitally signed for security. Everyone on the network knows about a transaction, and the history of a transaction can be traced back to the point where the bitcoins were produced.

Holding onto bitcoins is great if you’re a speculator waiting for the price to go up, but the whole point of this currency is to spend it, right? So, when spending bitcoins, how do transactions work?

There are no bitcoins, only records of bitcoin transactions

Here’s the funny thing about bitcoins: they don’t exist anywhere, even on a hard drive. We talk about someone having bitcoins, but when you look at a particular bitcoin address, there are no digital bitcoins held in it, in the same way that you might hold dollars in a bank account. You cannot point to a physical object, or even a digital file, and say “this is a bitcoin”.

Instead, there are only records of transactions between different addresses, with balances that increase and decrease. Every transaction that ever took place is stored in a vast public ledger called the block chain. If you want to work out the balance of any bitcoin address, the information isn’t held at that address; you must reconstruct it by looking at the blockchain.

What does a transaction look like?

If Nancy sends some bitcoins to Peter, that transaction will have three pieces of information:

  • An input. This is a record of which bitcoin address was used to send the bitcoins to Nancy in the first place (she received them from her friend, Eve).
  • An amount. This is the amount of bitcoins that Nancy is sending to Peter.
  • An output. This is Peter’s bitcoin address.
How is it sent?

To send bitcoins, you need two things: a bitcoin address and a private key. A bitcoin address is generated randomly, and is simply a sequence of letters and numbers. The private key is another sequence of letters and numbers, but unlike your bitcoin address, this is kept secret.how-do-bitcoin-transactions-work-300x185
Think of your bitcoin address as a safe deposit box with a glass front. Everyone knows what is in it, but only the private key can unlock it to take things out or put things in.

When Nancy wants to send bitcoins to Peter, she uses her private key to sign a message with the input (the source transaction(s) of the coins), amount, and output (Peter’s address).

She then sends them from her bitcoin wallet out to the wider bitcoin network. From there, bitcoin miners verify the transaction, putting it into a transaction block and eventually solving it.

Why must I sometimes wait for my transaction to clear?

Because your transaction must be verified by miners, you are sometimes forced to wait until they have finished mining. The bitcoin protocol is set so that each block takes roughly 10 minutes to mine.

Some merchants may make you wait until this block has been confirmed, meaning that you may have to make a cup of coffee and come back again in a short while before you can download the digital goods or take advantage of the paid service.

On the other hand, some merchants won’t make you wait until the transaction has been confirmed. They effectively take a chance on you, assuming that you won’t try and spend the same bitcoins somewhere else before the transaction confirms. This often happens for low value transactions, where the risk of fraud isn’t as great.

What if the input and output amounts don’t match?

Because bitcoins exist only as records of transactions, you can end up with many different transactions tied to a particular bitcoin address. Perhaps Jane sent Alice two bitcoins, Philip sent her three bitcoins and Eve sent her a single bitcoin, all as separate transactions at separate times.

These are not automatically combined in Alice’s wallet to make one file containing six bitcoins. They simply sit there as different transaction records.

When Alice wants to send bitcoins to Bob, her wallet will try to use transaction records with different amounts that add up to the number of bitcoins that she wants to send Bob.

The chances are that when Alice wants to send bitcoins to Bob, she won’t have exactly the right number of bitcoins from other transactions. Perhaps she only wants to send 1.5 BTC to Bob.

None of the transactions that she has in her bitcoin address are for that amount, and none of them add up to that amount when combined. Alice can’t just split a transaction into smaller amounts. You can only spend the whole output of a transaction, rather than breaking it up into smaller amounts.

Instead, she will have to send one of the incoming transactions, and then the rest of the bitcoins will be returned to her as change.

Alice sends the two bitcoins that she got from Jane to Bob. Jane is the input, and Bob is the output. But the amount is only 1.5 BTC, because that is all she wants to send. So, her wallet automatically creates two outputs for her transaction: 1.5 BTC to Bob, and 0.5 BTC to a new address, which it created for Alice to hold her change from Bob.

Are there any transaction fees?

Sometimes, but not all the time. (Now how does that make sense?)

Transaction fees are calculated using various factors. Some wallets let you set transaction fees manually. Any portion of a transaction that isn’t picked up by the recipient or returned as change is considered a fee. This then goes to the miner lucky enough to solve the transaction block as an extra reward.

Right now, many miners process transactions for no fees. As the block reward for bitcoins decreases, this will be less likely.

One of the frustrating things about transaction fees in the past was that the calculation of those fees was complex. It has been the result of several updates to the protocol, and has developed organically.

Updates to the core software handling bitcoin transactions will see it change the way that it handles transaction fees, instead estimating the lowest fee that will be accepted.

Can I get a receipt?

Bitcoin wasn’t really meant for receipts. Although there are changes coming in bitcoin-receipt-300x185version 0.9 that will alter the way payments work, making them far more user-friendly and mature.

Payment processors like BitPay also provide the advanced features that you wouldn’t normally get with a native bitcoin transaction, such as receipts and order confirmation web pages.

What if I only want to send part of a bitcoin?

Bitcoin transactions are divisible. A satoshi is one hundred millionth of a bitcoin, and it is possible to send a transaction as small as 5430 satoshis on the bitcoin network.

I will cover what  “Blockchain” is in my next post.  Hope this has been helpful !