SlideShare a Scribd company logo

Fintech security

Glib Pakharenko
Glib Pakharenko

This document discusses various cybersecurity issues facing the cryptocurrency and FinTech industries. It notes that 36 cryptocurrency exchanges are now defunct due to hacks that stole over 950,000 bitcoins. Mining software is also vulnerable to exploits that could allow attackers to redirect funds or install malware. The document recommends using multisignature wallets, key derivation, blockchain records, cold storage, backups and other techniques to better manage security risks for cryptocurrency projects.

Technology
1 of 20
Download to read offline
Unifying the Global Response to Cybercrime FinTech Security Glib Pakharenko gpaharenko (at) gmail.com 2016-04-02
Unifying the Global Response to Cybercrime FinTech is under attack
Unifying the Global Response to Cybercrime 36 exchanges no longer operate  13 exchangers claim to have been hacked. In total, more than 950,000 bitcoins have been stolen from their rightful owner. 1. AllCrypt 2. Bitcoin 3. Bitcoin Brasil 4. Bitcoinica 5. Bitfloor 6. BitMarket.eu 7. Bitomat 8. Bitspark 9. Bitstake 10. BitYes 11. Britcoin 12. Coin 13. CoinEX 14. Coin.Mx 15. Comkort 16. Crypto 17. Cryptorush 18. Excoin 19. FXBTC 20. Harborly 21. Intersango 22. Kapiton 23. LibertyBit 24. McxNOW 25. Melotic 26. MintPal 27. MtGox 28. Prelude 29. SwissCEX 30. The Bitcoin Market 31. Tradehill 32. UpBit 33. Vault of Satoshi 34. Virtex 35. WeExchange 36. Yacuna
Unifying the Global Response to Cybercrime Dead altcoins
Unifying the Global Response to Cybercrime Malware steal bitcoins
Unifying the Global Response to Cybercrime Is bitcoin-core secure?
Unifying the Global Response to Cybercrime Is bitcoin-core secure?
Unifying the Global Response to Cybercrime Mining software is vulnerable Just a quick view revealed multiple bugs in mining clients BFGMiner, SGMinger, CGMiner:  CVE 2014-4501 describes an attacker’s ability to overflow a stack buffer via a long URL argument in the “client.reconnect” message.  CVE 2014-4502 enables an attacker to send a large or negative nonce length parameter to the client which causes the miner to calculate an insufficient buffer size for new Blocks and overwrite heap memory.  CVE 2014-4503 An attacker in the middle of a connection can send a “mining.notify” message with malformed parameters to the client.
Unifying the Global Response to Cybercrime Mining software is vulnerable (cont.)  An attacker can sniff the cleartext credentials in the mining.authorize message. These credentials may be used elsewhere across the internet and may lead to account compromise.  An attacker in the middle of a connection can replace the Bitcoin address in the username field of a mining.authorize message with their own to steal the users’ payouts from the pool.  An attacker can spoof a “client.reconnect” message from the pool to redirect the miner to a private pool. This reconnection would not be initially obvious to the users and the pool would not need to payout any shares of the Block rewards.  An attacker or malicious pool can send a message containing a malicious payload that remotely executes code on a victim’s machine. This can be used to install malware such as rootkits and keyloggers.  An attacker can perform a Dos attack against pool members.
Unifying the Global Response to Cybercrime Mining issues The chain of events lead to financial loss for miners: • late software update • dependency on the OpenSSL software • hard fork • SPV nodes conflicted with up2date full nodes
Unifying the Global Response to Cybercrime Randomness issues The problem: • weakness in the random generation with the aid of Java Cryptography Architecture (JCA) for Android • use of the http://random.org site to get random numbers over unencrypted connection and without server error handling
Unifying the Global Response to Cybercrime Passphrase wallets weakness
Unifying the Global Response to Cybercrime Insider threats
Unifying the Global Response to Cybercrime Cold wallet is not enough
Unifying the Global Response to Cybercrime 51% issue
Unifying the Global Response to Cybercrime Bitcoins can be just lost
Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
Unifying the Global Response to Cybercrime What to do?  Manage the project risk and recognize the IT security risk  Use the power of Blockchain: • MULTISIG • Key derivation • Rely on Blockchain (record the transaction) • Cold wallets • Backups • Use recent achievements in Blockchain technology and smart contracts  Use the application security standards: • Open Application Security Maturity Model (OpenSAMM) • Application Security Verification Standard (ASVS) • OWASP Proactive controls • OWASP TOP 10 for web and mobile  Manage the security (use ISO27001 and Cobit 5)
Unifying the Global Response to Cybercrime Let’s get in touch!

Recommended

MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750Steven Rhyner
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne
 
The Lightning Network - A gentle introduction
The Lightning Network - A gentle introductionThe Lightning Network - A gentle introduction
The Lightning Network - A gentle introductionRoland Stadler
 
Os Kroahhartman
Os KroahhartmanOs Kroahhartman
Os Kroahhartmanoscon2007
 
Malicious traders
Malicious tradersMalicious traders
Malicious tradersAleks Gostev
 
Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008guesta84549
 
Bitcoin economics brian crain
Bitcoin economics brian crainBitcoin economics brian crain
Bitcoin economics brian crainBrian Fabian Crain
 
Block Con 2017 LA
Block Con 2017 LABlock Con 2017 LA
Block Con 2017 LAPaul Walsh
 

Recommended

MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750
MAX KEISER CERTAIN BITCOIN PRICE HITS $5,000 AS SEGWIT NEARS, ALREADY $2,750Steven Rhyner
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne
 
The Lightning Network - A gentle introduction
The Lightning Network - A gentle introductionThe Lightning Network - A gentle introduction
The Lightning Network - A gentle introductionRoland Stadler
 
Os Kroahhartman
Os KroahhartmanOs Kroahhartman
Os Kroahhartmanoscon2007
 
Malicious traders
Malicious tradersMalicious traders
Malicious tradersAleks Gostev
 
Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008Hack In The Box (Dubai) 04172008
Hack In The Box (Dubai) 04172008guesta84549
 
Bitcoin economics brian crain
Bitcoin economics brian crainBitcoin economics brian crain
Bitcoin economics brian crainBrian Fabian Crain
 
Block Con 2017 LA
Block Con 2017 LABlock Con 2017 LA
Block Con 2017 LAPaul Walsh
 
Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПuisgslide
 
Огляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніОгляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніGlib Pakharenko
 
Кібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніКібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніGlib Pakharenko
 
Кращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійКращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійGlib Pakharenko
 
Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0uisgslide
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 
Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Luno
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityJohnson, Chuan Zhang CISM CCSK OSCP
 
Hta r35
Hta r35Hta r35
Hta r35SelectedPresentations
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureJean-Phi N✅
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?Global Knowledge Training
 
Regtech in the era of intermediaries
Regtech in the era of intermediariesRegtech in the era of intermediaries
Regtech in the era of intermediariesTim Swanson
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsMaxim Kozlovsky
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatRobert Leong
 
Cryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencyCryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencySameer Satyam
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Introduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and CryptosIntroduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and Cryptosssuser18349f1
 
Ransomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalRansomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalZscaler
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityCyphort
 
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoThe Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoJeff Garzik
 
The Next Frontier of Bitcoin
The Next Frontier of BitcoinThe Next Frontier of Bitcoin
The Next Frontier of BitcoinMecklerMedia
 

More Related Content

Viewers also liked

Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПuisgslide
 
Огляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніОгляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніGlib Pakharenko
 
Кібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніКібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніGlib Pakharenko
 
Кращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійКращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійGlib Pakharenko
 
Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0uisgslide
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Ulf Mattsson
 

Viewers also liked (6)

Актуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТПАктуальні кібер-загрози АСУ ТП
Актуальні кібер-загрози АСУ ТП
 
Огляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в УкраїніОгляд атак на критичну інфраструктуру в Україні
Огляд атак на критичну інфраструктуру в Україні
 
Кібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в УкраїніКібер-атаки на критичну інфраструктуру в Україні
Кібер-атаки на критичну інфраструктуру в Україні
 
Кращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологійКращі практики керування ризиками хмарних технологій
Кращі практики керування ризиками хмарних технологій
 
Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0Стандарт верифікації безпеки веб-додатків ASVS 3.0
Стандарт верифікації безпеки веб-додатків ASVS 3.0
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 

Similar to Fintech security

Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Luno
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureJean-Phi N✅
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?Global Knowledge Training
 
Regtech in the era of intermediaries
Regtech in the era of intermediariesRegtech in the era of intermediaries
Regtech in the era of intermediariesTim Swanson
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsMaxim Kozlovsky
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatRobert Leong
 
Cryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencyCryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencySameer Satyam
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Introduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and CryptosIntroduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and Cryptosssuser18349f1
 
Ransomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalRansomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalZscaler
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityCyphort
 
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoThe Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoJeff Garzik
 
The Next Frontier of Bitcoin
The Next Frontier of BitcoinThe Next Frontier of Bitcoin
The Next Frontier of BitcoinMecklerMedia
 
Why is a crypto wallet the gateway to Web3.
Why is a crypto wallet the gateway to Web3.Why is a crypto wallet the gateway to Web3.
Why is a crypto wallet the gateway to Web3.stepheniepeterson
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIOBITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIOSteven Rhyner
 

Similar to Fintech security (20)

Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018Bitcoin - shady underworld or bright future, September 2018
Bitcoin - shady underworld or bright future, September 2018
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain Security
 
Hta r35
Hta r35Hta r35
Hta r35
 
Komodo Blockchain Security Service Brochure
Komodo Blockchain Security Service BrochureKomodo Blockchain Security Service Brochure
Komodo Blockchain Security Service Brochure
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?
 
Regtech in the era of intermediaries
Regtech in the era of intermediariesRegtech in the era of intermediaries
Regtech in the era of intermediaries
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Top 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk FactorsTop 5 Cryptocurrency Scam Risk Factors
Top 5 Cryptocurrency Scam Risk Factors
 
wp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeatwp-understanding-ransomware-strategies-defeat
wp-understanding-ransomware-strategies-defeat
 
Cryptocurrency - Digital Currency
Cryptocurrency - Digital CurrencyCryptocurrency - Digital Currency
Cryptocurrency - Digital Currency
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Introduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and CryptosIntroduction to Attacks on Bitcoin and Cryptos
Introduction to Attacks on Bitcoin and Cryptos
 
Ransomware webinar may 2016 final version external
Ransomware webinar may 2016 final version externalRansomware webinar may 2016 final version external
Ransomware webinar may 2016 final version external
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
 
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins ChicagoThe Next Frontier of Bitcoin - Inside Bitcoins Chicago
The Next Frontier of Bitcoin - Inside Bitcoins Chicago
 
The Next Frontier of Bitcoin
The Next Frontier of BitcoinThe Next Frontier of Bitcoin
The Next Frontier of Bitcoin
 
Why is a crypto wallet the gateway to Web3.
Why is a crypto wallet the gateway to Web3.Why is a crypto wallet the gateway to Web3.
Why is a crypto wallet the gateway to Web3.
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIOBITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
BITCOIN: WHY IT NOW BELONGS IN EVERY PORTFOLIO
 
Ntewrok secuirty cs1
Ntewrok secuirty cs1Ntewrok secuirty cs1
Ntewrok secuirty cs1
 

More from Glib Pakharenko

Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risksGlib Pakharenko
 
Top mistakes that allows to make a successful pentest
Top mistakes that allows to make a successful pentestTop mistakes that allows to make a successful pentest
Top mistakes that allows to make a successful pentestGlib Pakharenko
 
State of cyber-security in Ukraine
State of cyber-security in UkraineState of cyber-security in Ukraine
State of cyber-security in UkraineGlib Pakharenko
 
Uisg5sponsorreport eng v03_ay
Uisg5sponsorreport eng v03_ayUisg5sponsorreport eng v03_ay
Uisg5sponsorreport eng v03_ayGlib Pakharenko
 
Using digital cerificates
Using digital cerificatesUsing digital cerificates
Using digital cerificatesGlib Pakharenko
 
Automating networksecurityassessment
Automating networksecurityassessmentAutomating networksecurityassessment
Automating networksecurityassessmentGlib Pakharenko
 
социальные аспекты иб V3
социальные аспекты иб V3социальные аспекты иб V3
социальные аспекты иб V3Glib Pakharenko
 
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
Isaca kyiv chapter_2010_survey_finding_summary_v07_ayIsaca kyiv chapter_2010_survey_finding_summary_v07_ay
Isaca kyiv chapter_2010_survey_finding_summary_v07_ayGlib Pakharenko
 
Кому нужна защита персональных данных
Кому нужна защита персональных данныхКому нужна защита персональных данных
Кому нужна защита персональных данныхGlib Pakharenko
 
Copy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored editionCopy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored editionGlib Pakharenko
 
Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored editionGlib Pakharenko
 

More from Glib Pakharenko (20)

Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risks
 
Top mistakes that allows to make a successful pentest
Top mistakes that allows to make a successful pentestTop mistakes that allows to make a successful pentest
Top mistakes that allows to make a successful pentest
 
State of cyber-security in Ukraine
State of cyber-security in UkraineState of cyber-security in Ukraine
State of cyber-security in Ukraine
 
Uisg5sponsorreport eng v03_ay
Uisg5sponsorreport eng v03_ayUisg5sponsorreport eng v03_ay
Uisg5sponsorreport eng v03_ay
 
Uisg5sponsorreport
Uisg5sponsorreportUisg5sponsorreport
Uisg5sponsorreport
 
Using digital cerificates
Using digital cerificatesUsing digital cerificates
Using digital cerificates
 
Abra pocket office
Abra pocket officeAbra pocket office
Abra pocket office
 
Utm
UtmUtm
Utm
 
Automating networksecurityassessment
Automating networksecurityassessmentAutomating networksecurityassessment
Automating networksecurityassessment
 
социальные аспекты иб V3
социальные аспекты иб V3социальные аспекты иб V3
социальные аспекты иб V3
 
Uisg opening
Uisg openingUisg opening
Uisg opening
 
Pentest requirements
Pentest requirementsPentest requirements
Pentest requirements
 
Kke
KkeKke
Kke
 
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
Isaca kyiv chapter_2010_survey_finding_summary_v07_ayIsaca kyiv chapter_2010_survey_finding_summary_v07_ay
Isaca kyiv chapter_2010_survey_finding_summary_v07_ay
 
Uisg companies 4
Uisg companies 4Uisg companies 4
Uisg companies 4
 
Кому нужна защита персональных данных
Кому нужна защита персональных данныхКому нужна защита персональных данных
Кому нужна защита персональных данных
 
Copy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored editionCopy of Кому нужна защита персональных данных censored edition
Copy of Кому нужна защита персональных данных censored edition
 
Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition Кому нужна защита персональных данных censored edition
Кому нужна защита персональных данных censored edition
 
Uisg cert
Uisg certUisg cert
Uisg cert
 
Uisg4sponsorreport 1
Uisg4sponsorreport 1Uisg4sponsorreport 1
Uisg4sponsorreport 1
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Fintech security

  • 1. Unifying the Global Response to Cybercrime FinTech Security Glib Pakharenko gpaharenko (at) gmail.com 2016-04-02
  • 2. Unifying the Global Response to Cybercrime FinTech is under attack
  • 3. Unifying the Global Response to Cybercrime 36 exchanges no longer operate  13 exchangers claim to have been hacked. In total, more than 950,000 bitcoins have been stolen from their rightful owner. 1. AllCrypt 2. Bitcoin 3. Bitcoin Brasil 4. Bitcoinica 5. Bitfloor 6. BitMarket.eu 7. Bitomat 8. Bitspark 9. Bitstake 10. BitYes 11. Britcoin 12. Coin 13. CoinEX 14. Coin.Mx 15. Comkort 16. Crypto 17. Cryptorush 18. Excoin 19. FXBTC 20. Harborly 21. Intersango 22. Kapiton 23. LibertyBit 24. McxNOW 25. Melotic 26. MintPal 27. MtGox 28. Prelude 29. SwissCEX 30. The Bitcoin Market 31. Tradehill 32. UpBit 33. Vault of Satoshi 34. Virtex 35. WeExchange 36. Yacuna
  • 4. Unifying the Global Response to Cybercrime Dead altcoins
  • 5. Unifying the Global Response to Cybercrime Malware steal bitcoins
  • 6. Unifying the Global Response to Cybercrime Is bitcoin-core secure?
  • 7. Unifying the Global Response to Cybercrime Is bitcoin-core secure?
  • 8. Unifying the Global Response to Cybercrime Mining software is vulnerable Just a quick view revealed multiple bugs in mining clients BFGMiner, SGMinger, CGMiner:  CVE 2014-4501 describes an attacker’s ability to overflow a stack buffer via a long URL argument in the “client.reconnect” message.  CVE 2014-4502 enables an attacker to send a large or negative nonce length parameter to the client which causes the miner to calculate an insufficient buffer size for new Blocks and overwrite heap memory.  CVE 2014-4503 An attacker in the middle of a connection can send a “mining.notify” message with malformed parameters to the client.
  • 9. Unifying the Global Response to Cybercrime Mining software is vulnerable (cont.)  An attacker can sniff the cleartext credentials in the mining.authorize message. These credentials may be used elsewhere across the internet and may lead to account compromise.  An attacker in the middle of a connection can replace the Bitcoin address in the username field of a mining.authorize message with their own to steal the users’ payouts from the pool.  An attacker can spoof a “client.reconnect” message from the pool to redirect the miner to a private pool. This reconnection would not be initially obvious to the users and the pool would not need to payout any shares of the Block rewards.  An attacker or malicious pool can send a message containing a malicious payload that remotely executes code on a victim’s machine. This can be used to install malware such as rootkits and keyloggers.  An attacker can perform a Dos attack against pool members.
  • 10. Unifying the Global Response to Cybercrime Mining issues The chain of events lead to financial loss for miners: • late software update • dependency on the OpenSSL software • hard fork • SPV nodes conflicted with up2date full nodes
  • 11. Unifying the Global Response to Cybercrime Randomness issues The problem: • weakness in the random generation with the aid of Java Cryptography Architecture (JCA) for Android • use of the http://random.org site to get random numbers over unencrypted connection and without server error handling
  • 12. Unifying the Global Response to Cybercrime Passphrase wallets weakness
  • 13. Unifying the Global Response to Cybercrime Insider threats
  • 14. Unifying the Global Response to Cybercrime Cold wallet is not enough
  • 15. Unifying the Global Response to Cybercrime 51% issue
  • 16. Unifying the Global Response to Cybercrime Bitcoins can be just lost
  • 17. Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
  • 18. Unifying the Global Response to Cybercrime Lawenforcement can take your bitcoins
  • 19. Unifying the Global Response to Cybercrime What to do?  Manage the project risk and recognize the IT security risk  Use the power of Blockchain: • MULTISIG • Key derivation • Rely on Blockchain (record the transaction) • Cold wallets • Backups • Use recent achievements in Blockchain technology and smart contracts  Use the application security standards: • Open Application Security Maturity Model (OpenSAMM) • Application Security Verification Standard (ASVS) • OWASP Proactive controls • OWASP TOP 10 for web and mobile  Manage the security (use ISO27001 and Cobit 5)
  • 20. Unifying the Global Response to Cybercrime Let’s get in touch!