Bryan Becker's talk at the 2018 RMISC discussing the changing types of attacks focusing on "cryptojacking" and the future challenges for blockchain security.

1. Evolution of a
Hack
CryptoJacking, CryptoCurrencies, and Blockchains

2. Preliminaries
▪ Bryan Becker, CISSP, CCSP
▪ More Futurist, less Crypto-Maximalist
▪ Terrified of CRISPR
▪ All opinions my own and not that of my
employer.
▪ DISCLAIMER: Bad Words!
▪ I Promise.
▪ Slap me if I talk about bitcoin price.
▪ None of this should be considered financial
advice.

3. Agenda
▪ CryptoJacking and newer, rebranded attacks against companies with efforts to
exploit resources using blockchain public chains and technologies.
▪ Are we ready for an “Internet of Literal Things Encapsulated in Tokens” revolution
from a security perspective?

4. Top 5 Uses of Public Blockchain Tokens!
▪ GIVEAWAY
▪ #5 – Useless Ethereum Token (UET)
▪ FAQ: “Wait … is this a joke? Is it a scam? Neither! This is real — and it’s 100%
transparent. You’re literally giving your money to someone on the internet and getting
completely useless tokens in return.”
▪ #4 -- SpankChain
▪ #3 -- PotCoin
▪ #2 – C**kBlockChain
▪ #1 -- F*ckToken -- $0.00005.

5. What is Blockchain anyways?

6. Blockchain Fundamentals
▪ Distributed Ledger
▪ Consensus by Code
▪ Digital Scarcity
▪ Programmability (Smart Contracts)

7. Blockchain Fundamentals - “What is a Wallet”
▪ AN INTERFACE WHICH INTERACTS WITH A BLOCKCHAIN.
▪ It doesn’t store money, it stores and interacts private keys .
▪ It’s not a “place”, it’s an interface to pub/private key pairs to handle crypto assets.
▪ It can be…
▪ As simple as a piece of paper
▪ A fat client
▪ Mobile App
▪ Browser Extension
▪ Hardware token

8. How Proof of Work Consensus Works
▪ Transactions get broadcasted to a
node
▪ Node adds transaction to a block
(small file of transactions)
▪ All other validators do math during
the blocktime.
▪ One validator wins the block
discovery, adds the block to the
chain, and “wins” the lottery for
freshly minted tokens for security
incentive for ”Proof of Work”

9. How Monero Works

10. CryptoJacking History
▪ Bitcoin browser-based mining: A thing since 2011.
▪ No ASICS
▪ Bitcoin was cheap and mining was profitable (don’t slap me!)
▪ Bitcoinplus.com
▪ Mostly disappeared with the onset of new technology.
▪ More things change, the more they stay the same…

11. Current Risk: CryptoJacking
▪ CryptoJacking a.k.a. Harvest of distributed computing resources (CPU, Memory, Disk,
Bandwidth) for financial gain of attacker.
▪ With the coin mining gold rush, cryptojacking attacks skyrocketed 8,500 percent
▪ DRUPALGEDDON 2: 400 Drupal Websites hit using latest vuln.
▪ Shopify Plugin creates 5 iFrames which mines Monero.
▪ Showtime, UFC.TV.
▪ Weatherfor.us plugin for websites injects mining scripts.
▪ Fileless malware Ghostminer kills other cryptojacking competitors and mines in
memory and is nearly undetectable.
▪ CoinHive == CryptoJacking as a Service (CJaaS?)

12. It’s Literally This Easy (Invisible Browser Mining)
<script type='text/javascript' src='http://174.138.43.214/wp-
content/plugins/simple-monero-miner-coin-hive/js/smmch-
mine.js?v=1.4&#038;ver=4.9.5'></script>
Open source rig: https://github.com/xmrig/xmrig

13. Detection and Prevention
▪ Mostly detected at the network level (now)
▪ Resource Utilization and Monitoring
▪ Browser Level Detections via Software or Extensions (NoCoin, MinerBlock)
▪ Injection detection.
▪ No-Script
▪ IDS/IPS rules for DNS calls (DNS sinkholes)
▪ Anomaly Detection for Network Baseline monitoring
▪ BUILT-IN BROWSER restrictions
▪ NUCLEAR OPTION: Disable JavaScript

15. DEMO!!!!
▪ DEMO WORLD, PARTY TIME, EXCELLENT!

16. CryptoJacking
Future/Potential
▪ Why the resurgence?
▪ Privacy Based Coins
▪ Ease of Deployment
▪ Hard to find if throttled
▪ Mobile explosion
▪ Fundamental Profitability
Problem
▪ CoinHive maxed out at 13.5 MH/s
== ~5% of the Monero Hash Pool. Month by Month percentage change in
Browser-based Mining. (Symantec)

18. Future Forms of
CryptoJacking
▪ The Future of Monetization
▪ Evolution of current attacks
▪ WannaMine worm (ETERNALBLUE)
▪ GhostMiner
▪ GPU, File Storage
▪ IoT-focused CryptoJacking
▪ RadiFlow ICS Mining
▪ NEW TARGETS
▪ Fogs
▪ Kubernetes Clusters

19. CryptoJacking for Charity!
▪ UNICEF
▪ www.thehopepage.org

21. https://www.nvidia.com/object/what-is-gpu-computing.html

22. Part 2
Evolution of a Hack  Tokenized “Asset-ful” Data Structures

23. Security with Tokenized “Asset-ful” Data
Structures
▪ “I recall hearing in recent years, if you were a “startup” until you reached a
certain revenue threshold, security should not be a major concern or spend
area.” – Director-level Consultant in Boulder.
▪ You cannot mess up something decentralized in a fundamental way;
anything less than absolute correctness is absolute failure. — Charles
Noyes

24. The Internet of Money
▪ Web 3.0!
▪ Tokenize ALL THE THINGS!
▪ Make the world more liquid!
▪ Assets on the blockchain!
▪ Eliminate the middle man with smart
contracts!
▪ EVERYTHING on the Blockchain!
▪ Health Records, Identity, Supply
Chains, Security Tokens, Real Assets

25. What a time to be alive!
▪ “We rarely see people talking about what will form the main usage of Blockchain:
Robots and Machines.
This isn't going to be about whether grandpa or grandma, mommy or daddy are
gonna want to use Blockchain or not.
We are talking about the billion of interconnected devices which, for the first time
in technological history, will be able to transact value from device to device, in a
safe, fast and trustable manner.”
▪ In the near-future, the Internet of Things will move money and assets
autonomously or as directed by a DAO or AI.

27. Adoption: Blockchain news from the past 4
weeks days.
▪ “In the future, owning an asset and not having it tokenized on the blockchain will
be the equivalent of owning a company and not being on the Internet today.”
– Crypto Hedge Funder
▪ Bloomberg and Galaxy Digital just announced they're launching a
cryptocurrency index to track 10 of the most liquid crypto assets.
▪ China's Ministry of Public Security is planning to use blockchain technology to
drastically improve their handling of evidence from police investigations.
▪ Facebook is launching an internal team to exclusively focus on blockchain tech.
The team is led by David Marcus, former PayPal President & current Coinbase
board member

28. Adoption: Blockchain news from the past 4
weeks days.
▪ Oracle, the fourth largest software company in the world according to Forbes, is
launching their blockchain products this month.
▪ Consensys and Saudi Arabia‘s Ministry of Communications and Information
Technology recently held a blockchain bootcamp to teach the skills necessary for
this new world.
▪ JPMorgan filed a patent to use blockchain for Bank-to-Bank transactions.
▪ Goldman Sachs is opening a Bitcoin trading operation.
▪ The South Korean Central Bank is planning to use cryptocurrencies to achieve
a truly cashless society by 2020

31. Wall Street Journal: Paul Vizla

32. Wait, WHAT?!??! WHAT ARE WE THINKING
▪ Coinbase Bug Allowed Users to Give
Themselves Unlimited Ether - Gizmodo
▪ Founders of a cryptocurrency backed by
Floyd Mayweather charged with fraud by
SEC - CNBC

33. Wait, WHAT?!??! WHAT ARE WE THINKING
• Malware which monitors clipboards.
• Smart Contract coding vulnerabilities (PARITY)

34. Blockchains and Government
▪ Governments which recognize Smart Contracts as law
▪ Tennessee
▪ Arizona
▪ Florida
▪ More to come

35. Some Inconvenient Truths
▪ Most dApps don’t even need a blockchain.
▪ Users can’t even handle a password, now you want them a wallet and a private key?
▪ CONFIDENTIALITY BROKEN.
▪ Smart Contracts are still written by humans.
▪ Criminals flock to where the low hanging fruit is.

36. Some Inconvenient Truths
▪ Validator nodes are still servers run by someone.
▪ Internal blockchains validator nodes still are servers handled by humans.
▪ INTEGRITY BROKEN.
▪ PARADIGM CHALLENGE
▪ “Move fast and break” things for systems with tokenized assets is not an effective
development strategy.
▪ Check ourselves before we wreck ourselves.
▪ Governance, governance, governance.

37. The Power of Programmers:
A New Ethics Dilemma
▪ Security Token explosion coming.
▪ Assets, such as houses, supply chains, physical money, gold bullion.
▪ Programmers writing protocols which:
▪ Store assets.
▪ Move assets
▪ Use smart contracts to hold assets in “virtual escrow”
▪ These protocols will run be the foundation of mutual funds, asset portfolios,
money transfers, holding institutions, and the like.

38. Recommendations for our Industry
▪ NIST guidance paper(s) and Blockchain Security Framework.
▪ Overall guidelines on the tech and deployment.
▪ Internal Governance.
▪ GLB-like law for FinTech with Blockchains.
▪ Privacy Law Update. Blockchain Won’t Make it Better.
▪ Makes Law Enforcement that much harder.
▪ Massive Education Investments needed.

39. Recommendations for our Industry
▪ Reuse the Good Code!
▪ Opensource Shared User Models and pre-Deployed Contract Modules.
▪ KNOW YOUR RISK: Flipping the Development Paradigm on it’s head.
▪ Move slow so no one loses their house. Security First!
▪ Develop more smart contract auditors.
▪ Inning 2. Know Risks, Continue to Improve.

40. <FIN>
▪ Questions and Answer.
▪ QR me 
▪ Bryan Becker
▪ @_beckerb