Category Archives: Technology

And the plot thickens: Hackers Entered Equifax Systems in March

Posted on September 21, 2017 | Leave a comment

Equifax previously disclosed data was potentially accessed in May

Hackers roamed undetected in Equifax Inc.’s computer network for more than four months before its security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.

FireEye’s Mandiant group, which has been hired by Equifax to investigate the breach, said the first evidence of hackers’ “interaction” with the company occurred on March 10, according to the Mandiant report, which was reviewed by The Wall Street Journal.

Equifax had previously disclosed that data belonging to approximately 143 million Americans was potentially accessed in May. It isn’t known when Equifax learned from Mandiant that the hacking activity began in March, not May. Equifax wasn’t available for comment.

Equifax has said it didn’t discover the breach until July 29. Days later it called in Mandiant. Equifax didn’t disclose the breach until Sept. 7.

The attack, which is being probed by the Federal Bureau of Investigation, is one of the most significant data breaches given the scope of the information disclosed: people’s names, addresses, dates of birth and Social Security numbers. In its wake, consumers, customers, regulators and legislators have been asking how the attack occurred and whether Equifax took sufficient measures to protect such sensitive information.

Equifax sent the Mandiant report to some customers, many of which are financial firms, with a cover letter dated Tuesday, Sept. 19, that was signed by the company’s new chief information officer, Mark Rohrwasser, and new chief security officer, Russ Ayres. Equifax last Friday announced the departure of the two executives who previously held those positions.

In a progress report that accompanied that announcement last Friday, Equifax said hackers accessed consumers’ data from May 13 through July 30. It didn’t mention in that report that the attack had begun at an earlier date.

Mandiant’s report this week noted the hackers accessed one of Equifax’s servers by taking advantage of a flaw in software called Apache Struts, used by many companies to build interactive websites.

Two days before the access occurred, on March 8, security researchers at Cisco Systems Inc. warned of the flaw in Struts and a patch was issued by the Apache Software Foundation. Equifax in its report last week said its security staff “took efforts” to fix the system, saying it understood the intense focus outside the company on patching efforts and that its review was ongoing.

After interacting with Equifax’s server in early March, the hackers then entered the computer command “Whoami,” Mandiant wrote. This command would have given the attackers the username of the computer account to which they had just gained access, an early step in a hacking attempt.

Investigators have not determined for certain whether the March incident was issued by the data thieves or a different set of hackers, but it was likely the beginning of a monthslong reconnaissance mission, according to a person familiar with the investigation. It is common for attackers to lurk for months after their initial break-in as they probe corporate systems—the digital equivalent of trying as many doorknobs as possible to see which doors can be opened.

The March activity was likely a result of the hackers “spamming the internet for vulnerable systems,” said Johannes Ullrich, dean of research with the SANS Technology Insitute, a cybersecurity training school.

It isn’t surprising that the hackers took weeks before accessing the sensitive data, Mr. Ullrich said. “Typically, you first build out a beachhead so that it’s difficult to get kicked out,” he added.

On average, it takes companies close to 100 days to discover that they have been hacked, FireEye said in a report released earlier this year. In Equifax’s case, it took 141 days.

Eventually, between May 13 and late July, the attackers accessed files that contained Equifax credentials, such as username and password, and “performed database queries that provided access to documents and sensitive information stored in databases in an Equifax legacy environment,” the Mandiant report said.

Overall, the attackers accessed “numerous database tables in several databases,” the Mandiant report said.

The report added that the attackers “compromised two systems” that support Equifax’s online dispute web application. This is the place where consumers go to dispute information on their credit reports.

The hackers also set up about 30 Web shells—hidden pages that would allow them to remotely run commands on Equifax’s systems even if the Struts vulnerability was patched, the report said. The attackers “remotely accessed” the Equifax systems from approximately 35 “distinct public IP addresses,” it added.

The identity of the hackers is still unknown. Mandiant said in its letter that it hadn’t been able to attribute the breach to any “threat group actor” it currently tracks. Nor did the “tools, tactics and procedures” used overlap with those seen in previous investigations by the firm.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged ,

Network Safety: Experts Weigh In

Posted on July 5, 2017 | 1 comment

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders

 

 

 

 

 

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged ,

House Votes in Favor of Letting ISPs Sell Your Browsing History

Posted on March 31, 2017 | Leave a comment

Your internet history and browsing habits are for sale, and the House voted Tuesday to keep it that way, rolling back rules that would have barred internet service providers from selling your data without consent.

The measure would bar the Federal Communications Commission from enforcing rules it passed last year, during President Barack Obama’s administration, that would have required broadband providers to get your explicit consent before they could sell your personal data.

Before Tuesday’s the vote, representatives who wanted to keep the rules stripped the debate down to something as mundane as buying underwear online, privately.

“I know there has got to be somebody in this body who believes [internet service providers] should not have anybody’s underwear size,” said Rep. Keith Ellison, D-Minnesota.

With strong opposition from Democrats, the measure narrowly passed in the House by a 215-205 vote. No Democrats voted for the bill, and 15 Republicans opposed it. A similar version squeaked through the Senate last Thursday on a party-line vote of 50-48.

The president’s signature is all that is needed now to roll back the rules, leaving consumer data fair game for internet service providers and, crucially, barring the FCC from issuing similar protections in the future. The White House said in a statement on Tuesday that it “strongly supports” the repeal.

After the vote, the Internet & Television Association issued a statement applauding the congressional action to repeal “the FCC’s misguided rules.”

“With a proven record of safeguarding consumer privacy, internet providers will continue to work on innovative new products that follow ‘privacy-by-design’ principles and honor the FTC’s successful consumer protection framework,” the group said in a statement. “We look forward to working with policymakers to restore consistency and balance to online privacy protections.”

CTIA, formerly the Cellular Telecommunications and Internet Association, an advocacy group for the industry, applauded the measure’s sponsors last week for “seeking a common-sense and harmonized approach to protecting Americans’ privacy.”

“Wireless carriers are committed to safeguarding consumer privacy, and we support regulatory clarity and uniformity across our digital economy,” CTIA said in a statement.

But internet privacy advocates are framing this as a battle between privacy and profits.

Kate Tummarello, a policy analyst at the San Francisco based Electronic Frontier Foundation, said the “commonsense rules” Congress voted to repeal were designed “to protect your data” and keep internet service providers from doing a “host of creepy things” without your consent.

“Of course, the ISPs that stand to make money off of violating your privacy have been lobbying Congress to repeal those rules,” she said in a statement before the vote. “Unfortunately, their anti-consumer push has been working.”

The measure has also spawned a call to action from Data Does Good, a company that wants to empower people to leverage their data to help in the fight for online privacy rights.

The premise: Give Data Does Good your Amazon shopping history, which they say they’ll automatically anonymize and pool with others before selling it to retailers.

Data Does Good will then donate $15 on your behalf to a non-profit of your choice that is fighting for privacy rights, such as the Electronic Frontier Foundation or the ACLU.

Still more to come.  Remember the NSA already has all of this information.

Leave a comment

Posted in Cyber Security, Security, Technology

Tagged ,

UPS Tests “Last Step” Drone Delivery

Posted on February 28, 2017 | Leave a comment

Test demonstrates potential efficiencies drones can provide on rural delivery routes

Unlike previous drone tests, UPS/Workhorse test incorporates drone delivery into day-to-day delivery operations

Earlier this week, UPS announced that it has successfully tested a delivery drone that launches from the top of a UPS® package car, autonomously delivers a package to a home and then returns to the vehicle while the delivery driver continues along the route to making deliveries.

UPS, like Amazon, is working to reduce delivery times and its growing logistics bill. You can read more about Amazon’s efforts in my Amazon Prime Air Update.

The test was conducted on Monday in Lithia, Fla. in partnership with Workhorse Group (NASDAQ: WKHS), an Ohio-based battery-electric truck and drone developer. Workhorse built the drone and the electric UPS package car used in the test.

The drone used in Monday’s test was the Workhorse  HorseFly™ UAV Delivery system.. It’s an octocopter that’s fully integrated with Workhorse’s line of electric/hybrid delivery trucks. The drone docks on the roof of the delivery truck. A cage suspended beneath the drone, extends through a hatch into the truck. A UPS driver inside loads a package into the cage and presses a button on a touch screen, sending the drone on a preset autonomous route to an address. The battery-powered HorseFly drone recharges while it’s docked. It can carry a package weighing up to 10 pounds.

I like UPS’s approach to studying how drone delivery can reduce costs. A reduction of just one mile per driver per day over one year can save UPS up to $50 million. UPS has about 66,000 delivery drivers on the road each day. It’s easy to see how a delivery program like this, at least in rural areas where homes are far apart and drivers have to travel long distances to make a single delivery, has the potential to save UPS a ton of money. A program like this also has environmental benefits.

I’m encouraged to see companies like Amazon and UPS working to realize the cost saving potential of UAV’s. I’m especially encouraged to see the both companies refining their approaches into programs that have the potential to be deployed in the field in the near-term future.

Way to go UPS!

UPS serves on the FAA’s drone advisory committee.

Originally posted by Carl Bruckner
President at Concentric Sky.

Leave a comment

Posted in Cyber Security, Security, Technology

Tagged ,

It’s a bird, it’s a plane, no it’s a Perdix

Posted on January 13, 2017 | Leave a comment

What’s small, fast, and is launched from the bottom of a fighter jet? Not missiles, but a swarm of drones.

I watched a 60 minute report on Tuesday night that had me so intrigued in what the military is doing with new technology.  This is not just about Drones, it’s about where the future is going with the following technologies.

  • Unmanned ground vehicle (UGV), such as the autonomous car.
  • Unmanned aerial vehicle (UAV), unmanned aircraft commonly known as a “drone” …
  • Unmanned surface vehicle (USV), for the operation on the surface of the water.
  • Autonomous underwater vehicle (AUV) or unmanned undersea vehicle (UUV), for the operation underwater.

U.S. military officials have announced that they’ve carried out their largest ever test of a drone swarm released from fighter jets in flight. In the trials, three F/A-18 Super Hornets released 103 Perdix drones, which then communicated with each other and went about performing a series of formation flying exercises that mimic a surveillance mission.

But the swarm doesn’t know how, exactly, it will perform the task before it’s released. As William Roper of the Department of Defense explained in a statement:

Perdix are not pre-programmed synchronized individuals, they are a collective organism, sharing one distributed brain for decision-making and adapting to each other like swarms in nature. Because every Perdix communicates and collaborates with every other Perdix, the swarm has no leader and can gracefully adapt to drones entering or exiting the team.

Releasing drones from a fast-moving jet isn’t straightforward, as high speeds and turbulence buffet them, causing them damage. But the Perdix drone, originally developed by MIT researchers and named after a Greek mythical character who was turned into a partridge, is now in its sixth iteration and able to withstand speeds of Mach 0.6 and temperatures of -10 °C during release.

A Washington Post report last year explained that they had been developed as part of a $20 million Pentagon program to augment the current fleet of military drones. It’s hoped that the small aircraft, which weigh around a pound each and are relatively inexpensive because they’re made from off-the-shelf components, could be dropped by jets to perform missions that would usually require much larger drones, like the Reaper.

Clearly, they’re well on the way to being that useful. Now the Pentagon is working with its own Silicon Valley-style innovation organization, the Defense Innovation Unit Experimental, to build fleets of the micro-drones.

I’ll be talking about some of the individual technologies in the future.

Let me know your thoughts and what you think of this type of technology.

Leave a comment

Posted in Big Data, Network, Security, Technology

Tagged , ,

Human Factors in Cybersecurity

Posted on December 27, 2016 | Leave a comment

Humans are a centric focus in cybersecurity

Cybersecurity remains a top concern for businesses around the world. As an effort to combat cyber attacks and threats, businesses are continuously integrating technology without realizing that technological deterministic practices are detrimental and counterproductive. Cyber threats and vulnerabilities are evolving daily; however, some of the vulnerabilities are due to unintended consequences from integrating new technologies. Without a doubt, technology can aid in combatting cyber threats and mitigating vulnerabilities. One of the biggest anomalies in cybersecurity is neglecting the implications on humans.

Cybersecurity is a human problem not only in terms of strategy but also ensuring organizations are taking a human-centric approach to the cybersecurity. There are countless examples in cybersecurity when organizations forged ahead with technological integration rather than assessing the integration with a human-centric approach. Existential research on human factors in cybersecurity tends to focus primarily on human error rather than taking a comprehensive look at the problems. In fairness, the problem lies with the lack of scientific frameworks, concepts, and models regarding human-centric issues in cybersecurity.

An ongoing strategic initiative is the proliferation of Science of Security (SoS) and Science of Cyber Security (SoCS) by leveraging existing frameworks, models, and concepts from other domains to increase the scientific rigor of the sciences mentioned above. Industry, government, and academia are working feverishly to address hard problems in SoS and SoCS. It is imperative to align the need for scientific research on human factors in cybersecurity with the ongoing efforts of SoS and SoCS. Clearly, these strategic efforts are long-term; therefore, if businesses are looking for quicker solutions it is worth exploring how the aviation and nuclear power sectors utilize human factors to reduce human error, reduce automation and information overload, and increase focus on human cognitive abilities.

From a technical aspect, cybersecurity consists of a system of systems construct, also known as composability, which involves the interdependence and interconnection of complex systems with associated processes and a multitude of variables. The variables include (a) internal factors, (b) external factors, (c) threat factors, and (d) environmental factors. Aligned under each of the categories are a litany of attributes that constantly changes and affect humans. Ensuring humans remain a top priority in cybersecurity requires the CIO and CISO to articulate to C-Suite the significance of developing cybersecurity strategies that address human-centric requirements.

Another glaring issue is the lack of businesses that employ human factors professionals to evaluate their cybersecurity programs. In fact, the cybersecurity community needs to advocate for federal entities to add the Human Factors Specialty to the list of cybersecurity workforce roles. Cybersecurity varies between organizations, so the role of human factors experts is essential for entities with large and robust cybersecurity operations. Nonetheless, all companies can benefit from employing human factors specialists. Primarily, human factors professionals can assess the impact of cybersecurity operations on (a) human work roles, (b) human-centric weaknesses, (c) cyber training and awareness, (d) organizational climate, (e) systematic and organizational processes, (f) decision-making and (g) leadership are just to name a few.

Research recently revealed two phenomena in cybersecurity: security fatigue and alert anxiety. Both security fatigue and alert anxiety occur in cybersecurity due to cognitive overload stemming from information and automation overexertion that result in cyber professionals making human induced errors and poor decision-making. Human factors specialists can assist with developing processes for identifying security fatigue and alert anxiety. These two phenomena highlight the susceptibility of cyber professionals that are analogous to risks in other technical fields.

Employing human factors experts in cyber security requires executives allocating resources and working with industry, academia, and government to solidify the role of human factors professionals in cybersecurity. Until the integration of human factors professionals into cybersecurity, there will be a continuation of human induced errors, security fatigue, and alert anxiety. As a cybersecurity professional, I ask that you evaluate your operations and determine how a human factors expert can improve your efforts in preventing cyber-attacks and combatting cybersecurity threats.

Leave a comment

Posted in Cyber Security, Security, Technology

Tagged ,

What is blockchain?

Posted on December 2, 2016 | Leave a comment

blockchain

Blockchain is a term you see fairly much when browsing tech—and non-tech—sites these days. It is widely known as the technology that constitutes the infrastructure of Bitcoin (what’s bitcoin BTW?), a mysterious cryptocurrency created by a mysterious scientist in 2009. Some even confuse it as a synonym for bitcoin. But the reality is that blockchain is a disruptive technology that has the potential to transform a wide variety of business processes.

In this article, we will clarify what the blockchain is—and what it isn’t—what’s it’s relation to bitcoin, and what are its applications beyond the realm of cryptocurrencies.

What is blockchain anyway?

At its essence, the blockchain is a distributed ledger—or list—of all transactions across a peer-to-peer network. Put simply, you can think of blockchain as a data structure containing transactions that is shared and synced among nodes in a network (but in fact it gets much more complicated than that). Each node has a copy of the entire ledger and works with others to maintain its consistency.

Changes to the ledger are made through consensus among the participants. When someone wants to add a new record to the blockchain ledger, it has to be verified by the participants in the network, all of whom have a copy of the ledger. If a majority of the nodes agree that the transaction looks valid, it will be approved and will be inserted in a new “block” which will be appended to the ledger at all the locations where it is stored.

Along with the use of cryptography and digital signatures, this approach addresses the issue of security while obviating the need for a central authority.

Each new block can store one or more transactions and is tied to previous ones through digital signatures or hashes. Transactions are indefinitely stored and can’t be modified after they’ve been validated and committed to the ledger.

What makes blockchain unique?

Blockchain’s approach to dealing with transactions is a break from the usual centralized and broker-based model, in which a central server is responsible for processing and storing all transactions. And this is one of the key features that makes blockchain attractive. This creates fault tolerance, so there’s no single point of failure in the blockchain, while also providing security that is on par with what is being offered in the centralized paradigm.

This enables companies, entities and individuals to make and verify transactions instantaneously without relying on a central authority. This is especially useful in the finance industry where the transfer of money is usually tied to and controlled by clearing houses that maintain ledgers and take days to verify and execute a transaction, and collect considerable fees. The blockchain can verify and apply changes within milliseconds, and the costs are next to nothing. In the blockchain model, each bank in a network would have its own copy of the ledger and transactions would be verified and carried out through communications between banks, and within seconds. This will cut costs and increase efficiency.

Another unique feature of the blockchain is its immutability, i.e. it is nearly impossible to tamper with records previously stored in a blockchain. Each new block being tied to previous ones through cryptographic algorithms and calculations, which means slightest alteration in the blockchain will immediately disrupt and invalidate the entire chain. And with the ledger being replicated across many nodes, it becomes even harder to falsify transactions and the ledger’s history.

What are the applications of blockchain

Bitcoin was the first concrete application of blockchain. It was proposed in 2008 in a paper presented by a person—or a group of people, some say—called Satoshi Nakamato. Bitcoin uses blockchain to digitally send bitcoins—its namesake currency—between parties without the need for the interference of a third-party broker.

But bitcoin isn’t the only application of blockchain. The distributed ledger makes it easier to create cost-efficient business networks where virtually anything of value can be tracked and traded—without requiring a central point of control.

For instance, blockchain can be used to keep track of assets and goods as they move down the supply chain. Other industries such as stock exchange can make use of the blockchain mechanism to transfer ownership in a secure, peer-to-peer mechanism.

In the IoT industry, blockchain can help connect billions of devices in a secure way that won’t require centralized cloud servers. It can also be the backbone that will enable autonomous machines that will pay for buy and sell services from each other in the future.  (There has to be standards in place before they can be totally secured).

Other industries include retail, healthcare, gaming and many others.

Smart contracts will take the blockchain to the next level, enabling it to do more than just exchange information and get involved in more complex operations.

Different flavors of blockchain

Based on the specific needs of the application making use of blockchain, several of its characteristics might change. In fact, the different implementations of blockchain and different cryptocurrencies that are using it vary in different sectors.

Permission

Blockchains can be public or “permissionless,” such as the bitcoin blockchain, in which everyone can participate and add transactions. This is the model used by bitcoin. Other organizations are exploring the implementation of “permissioned” blockchains, in which the network is made up of known participants only. Security and authentication mechanisms vary in these different blockchains.

Anonymity

With ledgers being distributed among nodes, the level of anonymity is also a matter of importance. For instance, bitcoin does not require any personally identifiable information to send or receive payments on the blockchain. However, all transactions are recorded online for everyone to see, which lends a certain amount of transparency and makes total anonymity quite complicated. That’s why it’s known as pseudonymous.

Other implementations of blockchain, such as ZeroCoin, use other mechanisms (zero-knowledge proof) to enable verification without publishing transaction data.

Consensus

Consensus is the mechanism used by nodes in a blockchain to securely verify and validate transactions while maintaining the consistency and integrity of the ledger. The topic is a bit complicated, but the most prevalent form used is the “proof of work” consensus model used by bitcoin, in which nodes—called “miners”—spend computation cycles to run intensive hashing algorithms and prove the authenticity of the block they’re proposing to add. The PoW mechanism prevents DoS attacks and spam.

“Proof of stake” is another popular consensus model, in which nodes are required to prove ownership of certain amount of currency (their “stake”) to validate transactions.

This is just the beginning

Blockchain is a new way of communicating and transferring data. We still don’t know quite how it will evolve in the future, but what we do know is that it is bound to change quite a few things. A look at the figures presented in this Business Insider article proves why we can call it a disruptive technology.

I don’t know about you, but I’m excited about what blockchain surprises are waiting to be discovered down the horizon and will be exploring its uses more in the coming months.

 

Leave a comment

Posted in Big Data, Cyber Security, Security, Technology

Tagged , ,

Part 3: How do Bitcoin Transactions Work?

Posted on December 1, 2016 | Leave a comment

Bitcoin transactions are sent from and to electronic bitcoin wallets, and are digitally signed for security. Everyone on the network knows about a transaction, and the history of a transaction can be traced back to the point where the bitcoins were produced.

Holding onto bitcoins is great if you’re a speculator waiting for the price to go up, but the whole point of this currency is to spend it, right? So, when spending bitcoins, how do transactions work?

There are no bitcoins, only records of bitcoin transactions

Here’s the funny thing about bitcoins: they don’t exist anywhere, even on a hard drive. We talk about someone having bitcoins, but when you look at a particular bitcoin address, there are no digital bitcoins held in it, in the same way that you might hold dollars in a bank account. You cannot point to a physical object, or even a digital file, and say “this is a bitcoin”.

Instead, there are only records of transactions between different addresses, with balances that increase and decrease. Every transaction that ever took place is stored in a vast public ledger called the block chain. If you want to work out the balance of any bitcoin address, the information isn’t held at that address; you must reconstruct it by looking at the blockchain.

What does a transaction look like?

If Nancy sends some bitcoins to Peter, that transaction will have three pieces of information:

  • An input. This is a record of which bitcoin address was used to send the bitcoins to Nancy in the first place (she received them from her friend, Eve).
  • An amount. This is the amount of bitcoins that Nancy is sending to Peter.
  • An output. This is Peter’s bitcoin address.
How is it sent?

To send bitcoins, you need two things: a bitcoin address and a private key. A bitcoin address is generated randomly, and is simply a sequence of letters and numbers. The private key is another sequence of letters and numbers, but unlike your bitcoin address, this is kept secret.how-do-bitcoin-transactions-work-300x185
Think of your bitcoin address as a safe deposit box with a glass front. Everyone knows what is in it, but only the private key can unlock it to take things out or put things in.

When Nancy wants to send bitcoins to Peter, she uses her private key to sign a message with the input (the source transaction(s) of the coins), amount, and output (Peter’s address).

She then sends them from her bitcoin wallet out to the wider bitcoin network. From there, bitcoin miners verify the transaction, putting it into a transaction block and eventually solving it.

Why must I sometimes wait for my transaction to clear?

Because your transaction must be verified by miners, you are sometimes forced to wait until they have finished mining. The bitcoin protocol is set so that each block takes roughly 10 minutes to mine.

Some merchants may make you wait until this block has been confirmed, meaning that you may have to make a cup of coffee and come back again in a short while before you can download the digital goods or take advantage of the paid service.

On the other hand, some merchants won’t make you wait until the transaction has been confirmed. They effectively take a chance on you, assuming that you won’t try and spend the same bitcoins somewhere else before the transaction confirms. This often happens for low value transactions, where the risk of fraud isn’t as great.

What if the input and output amounts don’t match?

Because bitcoins exist only as records of transactions, you can end up with many different transactions tied to a particular bitcoin address. Perhaps Jane sent Alice two bitcoins, Philip sent her three bitcoins and Eve sent her a single bitcoin, all as separate transactions at separate times.

These are not automatically combined in Alice’s wallet to make one file containing six bitcoins. They simply sit there as different transaction records.

When Alice wants to send bitcoins to Bob, her wallet will try to use transaction records with different amounts that add up to the number of bitcoins that she wants to send Bob.

The chances are that when Alice wants to send bitcoins to Bob, she won’t have exactly the right number of bitcoins from other transactions. Perhaps she only wants to send 1.5 BTC to Bob.

None of the transactions that she has in her bitcoin address are for that amount, and none of them add up to that amount when combined. Alice can’t just split a transaction into smaller amounts. You can only spend the whole output of a transaction, rather than breaking it up into smaller amounts.

Instead, she will have to send one of the incoming transactions, and then the rest of the bitcoins will be returned to her as change.

Alice sends the two bitcoins that she got from Jane to Bob. Jane is the input, and Bob is the output. But the amount is only 1.5 BTC, because that is all she wants to send. So, her wallet automatically creates two outputs for her transaction: 1.5 BTC to Bob, and 0.5 BTC to a new address, which it created for Alice to hold her change from Bob.

Are there any transaction fees?

Sometimes, but not all the time. (Now how does that make sense?)

Transaction fees are calculated using various factors. Some wallets let you set transaction fees manually. Any portion of a transaction that isn’t picked up by the recipient or returned as change is considered a fee. This then goes to the miner lucky enough to solve the transaction block as an extra reward.

Right now, many miners process transactions for no fees. As the block reward for bitcoins decreases, this will be less likely.

One of the frustrating things about transaction fees in the past was that the calculation of those fees was complex. It has been the result of several updates to the protocol, and has developed organically.

Updates to the core software handling bitcoin transactions will see it change the way that it handles transaction fees, instead estimating the lowest fee that will be accepted.

Can I get a receipt?

Bitcoin wasn’t really meant for receipts. Although there are changes coming in bitcoin-receipt-300x185version 0.9 that will alter the way payments work, making them far more user-friendly and mature.

Payment processors like BitPay also provide the advanced features that you wouldn’t normally get with a native bitcoin transaction, such as receipts and order confirmation web pages.

What if I only want to send part of a bitcoin?

Bitcoin transactions are divisible. A satoshi is one hundred millionth of a bitcoin, and it is possible to send a transaction as small as 5430 satoshis on the bitcoin network.

I will cover what  “Blockchain” is in my next post.  Hope this has been helpful !

 

Leave a comment

Posted in Cyber Security, Security, Technology

Tagged , ,

Part 2: So how does Bitcoin work?

Posted on November 30, 2016 | Leave a comment

In traditional money systems, governments simply print more money when they need to.  But in bitcoin, money isn’t printed at all – it is discovered.  Computers around the world ‘mine’ for coins by competing with each other.

How does mining take place?

People are sending bitcoins to each other over the bitcoin network all the time, but unless someone keeps a record of all these transactions, no-one would be able to keep track of who had paid what. The bitcoin network deals with this by collecting all of the transactions made during a set period into a list, called a block. It’s the miners’ job to confirm those transactions, and write them into a general ledger.

Making a hash of it

This general ledger is a long list of blocks, known as the ‘blockchain’. It can be used to explore any transaction made between any bitcoin addresses, at any point on the network. Whenever a new block of transactions is created, it is added to the blockchain, creating an increasingly lengthy list of all the transactions that ever took place on the bitcoin network. A constantly updated copy of the block is given to everyone who participates, so that they know what is going on.

how-bitcoin-mining-works-300x185But a general ledger has to be trusted, and all of this is held digitally. How can we be sure that the blockchain stays intact, and is never tampered with? This is where the miners come in.

When a block of transactions is created, miners put it through a process. They take the information in the block, and apply a mathematical formula to it, turning it into something else. That something else is a far shorter, seemingly random sequence of letters and numbers known as a hash. This hash is stored along with the block, at the end of the blockchain at that point in time.

Hashes have some interesting properties. It’s easy to produce a hash from a collection of data like a bitcoin block, but it’s practically impossible to work out what the data was just by looking at the hash. And while it is very easy to produce a hash from a large amount of data, each hash is unique. If you change just one character in a bitcoin block, its hash will change completely.

Miners don’t just use the transactions in a block to generate a hash. Some other pieces of data are used too. One of these pieces of data is the hash of the last block stored in the blockchain.

Because each block’s hash is produced using the hash of the block before it, it becomes a digital version of a wax seal. It confirms that this block – and every block after it – is legitimate, because if you tampered with it, everyone would know.

If you tried to fake a transaction by changing a block that had already been stored in the blockchain, that block’s hash would change. If someone checked the block’s authenticity by running the hashing function on it, they’d find that the hash was different from the one already stored along with that block in the blockchain. The block would be instantly spotted as a fake.

Because each block’s hash is used to help produce the hash of the next block in the chain, tampering with a block would also make the subsequent block’s hash wrong too. That would continue all the way down the chain, throwing everything out of whack.

Competing for coins

So, that’s how miners ‘seal off’ a block. They all compete with each other to do this, using software written specifically to mine blocks. Every time someone successfully creates a hash, they get a reward of 25 bitcoins, the blockchain is updated, and everyone on the network hears about it. That’s the incentive to keep mining, and keep the transactions working.
butterfly-labs-bitforce-mini-rig-sc1-1024x8161-300x185
The problem is that it’s very easy to produce a hash from a collection of data. Computers are really good at this. The bitcoin network has to make it more difficult, otherwise everyone would be hashing hundreds of transaction blocks each second, and all of the bitcoins would be mined in minutes. The bitcoin protocol deliberately makes it more difficult, by introducing something called ‘proof of work’.

The bitcoin protocol won’t just accept any old hash. It demands that a block’s hash has to look a certain way; it must have a certain number of zeroes at the start. There’s no way of telling what a hash is going to look like before you produce it, and as soon as you include a new piece of data in the mix, the hash will be totally different.

Miners aren’t supposed to meddle with the transaction data in a block, but they must change the data they’re using to create a different hash. They do this using another, random piece of data called a ‘nonce’. This is used with the transaction data to create a hash. If the hash doesn’t fit the required format, the nonce is changed, and the whole thing is hashed again. It can take many attempts to find a nonce that works, and all the miners in the network are trying to do it at the same time. That’s how miners earn their bitcoins.

Hope this helps explain how Bitcoin Mining works.  Stayed tuned for tomorrow on “bitcoin transaction”.

Leave a comment

Posted in Big Data, Cyber Security, Security, Technology

Tagged ,

Part 1: What is a Bitcoin and how does it work?

Posted on November 29, 2016 | Leave a comment

So I’ve been asked several times in the past couple of weeks, what is a Bitcoin and how does it work?

Bitcoin is a form of digital currency, created and held electronically. No one controls it. Bitcoins aren’t printed, like dollars or euros – they’re produced by people, and increasingly businesses, running computers all around the world, using software that solves mathematical problems.

It’s the first example of a growing category of money known as cryptocurrency.

What makes it different from normal currencies?

Bitcoin can be used to buy things electronically. In that sense, it’s like conventional dollars, euros, or yen, which are also traded digitally.

However, bitcoin’s most important characteristic, and the thing that makes it different to conventional money, is that it is decentralized. No single institution controls the bitcoin network. This puts some people at ease, because it means that a large bank can’t control their money.

Who created it?

A software developer called Satoshi Nakamoto proposed bitcoin, which was an electronic payment system based on mathematical proof. The idea was to produce a currency independent of any central authority, transferable electronically, more or less instantly, with very low transaction fees.

Who prints it?
bitcoins
No one. This currency isn’t physically printed in the shadows by a central bank, unaccountable to the population, and making its own rules. Those banks can simply produce more money to cover the national debt, thus devaluing their currency.

Instead, bitcoin is created digitally, by a community of people that anyone can join. Bitcoins are ‘mined’, using computing power in a distributed network.

This network also processes transactions made with the virtual currency, effectively making bitcoin its own payment network.

So you can’t churn out unlimited bitcoins?

That’s right. The bitcoin protocol – the rules that make bitcoin work – say that only 21 million bitcoins can ever be created by miners. However, these coins can be divided into smaller parts (the smallest divisible amount is one hundred millionth of a bitcoin and is called a ‘Satoshi’, after the founder of bitcoin).

What is bitcoin based on?

Conventional currency has been based on gold or silver. Theoretically, you knew that if you handed over a dollar at the bank, you could get some gold back (although this didn’t actually work in practice). But bitcoin isn’t based on gold; it’s based on mathmatics.

Around the world, people are using software programs that follow a mathematical formula to produce bitcoins. The mathematical formula is freely available, so that anyone can check it.

The software is also open source, meaning that anyone can look at it to make sure that it does what it is supposed to.

What are its characteristics?

Bitcoin has several important features that set it apart from government-backed currencies.

1. It’s decentralized

The bitcoin network isn’t controlled by one central authority. Every machine that mines bitcoin and processes transactions makes up a part of the network, and the machines work together. That means that, in theory, one central authority can’t tinker with monetary policy and cause a meltdown – or simply decide to take people’s bitcoins away from them, as the Central European Bank decided to do in Cyprus in early 2013. And if some part of the network goes offline for some reason, the money keeps on flowing.

2. It’s easy to set up

Conventional banks make you jump through hoops simply to open a bank account. Setting up merchant accounts for payment is another dauting task, beset by bureaucracy. However, you can set up a bitcoin address in seconds, no questions asked, and with no fees payable.

3. It’s anonymous

Well, kind of. Users can hold multiple bitcoin addresses, and they aren’t linked to names, addresses, or other personally identifying information. However…

4. It’s completely transparent

…bitcoin stores details of every single transaction that ever happened in the network in a huge version of a general ledger, called the blockchain. The blockchain tells all.

If you have a publicly used bitcoin address, anyone can tell how many bitcoins are stored at that address. They just don’t know that it’s yours.

There are measures that people can take to make their activities more opaque on the bitcoin network, though, such as not using the same bitcoin addresses consistently, and not transferring lots of bitcoin to a single address.

5. Transaction fees are miniscule

Your bank may (most likely) charge you a fee for international transfers. Bitcoin doesn’t.

6. It’s fast

You can send money anywhere and it will arrive minutes later, as soon as the bitcoin network processes the payment.

7. It’s non-repudiable

When your bitcoins are sent, there’s no getting them back, unless the recipient returns them to you. They’re gone forever.

So, bitcoin has a lot going for it, in theory. But how does it work, in practice? Stayed tuned for more tomorrow.

 

Leave a comment

Posted in Big Data, Cyber Security, Public Cloud, Security, Technology

Tagged ,