BGP hijacking: Cybercriminals used Internet architecture ...
The Canadian Bitcoin Hijack - BGPmon
Hijacking Bitcoin: Routing Attacks on Cryptocurrencies ...
Hijacking Bitcoin: Routing Attacks on Cryptocurrencies
A few stories about Brian Krebs: The independent cybercrime journalist who exposes criminals on the internet
First, a bit of introduction before we get into the living drama that is Brian Krebs. Brian Krebs has been a journalist for decades, starting in the late 90s. He got his start at The Washington Post, but what he's most famous for are his exposes on criminal businesses and individuals who perpetuate cyber crime worldwide. In 2001, he got his interest in cybercrime piqued when a computer worm locked him out of his own computer. In 2005, he shifted from working as a staff writer at The Washington Post's tech newswire to writing for their security blog, "Security Wire". During his tenure there, he started by focusing on the victims of cybercrime, but later also started to focus on the perpetrators of it as well. His reporting helped lead to the shutdown of McColo, a hosting provider who provided service to some of the world's biggest spammers and hackers. Reports analyzing the shutdown of McColo estimated that global spam volume dropped by between 40 and 70 percent. Further analysis revealed it also played host to child pornography sites, and the Russian Business Network, a major Russian cybercrime ring. In 2009, Krebs left to start his own site, KrebsOnSecurity. Since then, he's been credited with being the first to report on major events such as Stuxnet and when Target was breached, resulting in the leakage of 40 million cards. He also regularly investigates and reveals criminals' identities on his site. The latter has made him the bane of the world of cybercrime, as well as basically a meme, where criminals will include references like Made by Brian Krebs in their code, or name their shops full of stolen credit cards after him. One of his first posts on his new site was a selection of his best work. While not particularly dramatic, they serve as an excellent example of dogged investigative work, and his series reveal the trail of takedowns his work has documented, or even contributed to. And now, a selection of drama involving Krebs. Note, all posts are sarcastically-tinged retellings of the source material which I will link throughout. I also didn't use the real names in my retellings, but they are in the source material. This took way too long to write, and it still does massively condense the events described in the series. Krebs has been involved with feuds with other figures, but I'd argue these tales are the "main" bits of drama that are most suited for here.
Fly on the Wall
By 2013, Krebs was no stranger to cybercriminals taking the fight to the real world. He was swatted previously to the point where the police actually know to give him a ring and see if there'd actually been a murder, or if it was just those wacky hackers at it again. In addition, his identity was basically common knowledge to cybercriminals, who would open lines of credit in his name, or find ways to send him money using stolen credit cards. However, one particular campaign against him caught his eye. A hacker known as "Fly" aka "Flycracker" aka "MUXACC1" posted on a Russian-language fraud forum he administered about a "Krebs fund". His plan was simple. Raise Bitcoin to buy Heroin off of a darknet marketplace, address it to Krebs, and alert his local police via a spoofed phone call. Now, because Krebs is an investigative journalist, he develops undercover presences on cybercrime forums, and it just so happened he'd built up a presence on this one already.
Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the "Helping Brian Fund", and shortly we will create a bitcoin wallet called "Drugs for Krebs" which we will use to buy him the purest heroin on the Silk Road. My friends, his withdrawal is very bad, let’s join forces to help the guy! We will save Brian from the acute heroin withdrawal and the world will get slightly better!
Fly had first caught Krebs' attention by taunting him on Twitter, sending him Tweets including insults and abuse, and totally-legit looking links. Probably either laced with malware, or designed to get Krebs' IP. He also took to posting personal details such as Krebs' credit report, directions to his house, and pictures of his front door on LiveJournal, of all places. So, after spotting the scheme, he alerted his local police that he'd probably have someone sending him some China White. Sure enough, the ne'er-do-wells managed to raise 2 BTC, which at the time was a cool $200 or so. They created an account on the premiere darknet site at the time, The Silk Road under the foolproof name "briankrebs7". They found one seller who had consistently high reviews, but the deal fell through for unknown reasons. My personal theory is the seller decided to Google where it was going, and realized sending a gram of dope into the waiting arms of local law enforcement probably wasn't the best use of his time. Still, the forum members persevered, and found another seller who was running a buy 10 get 2 free promotion. $165 of Bitcoin later, the drugs were on their way to a new home. The seller apparently informed Fly that the shipment should arrive by Tuesday, a fact which he gleefully shared with the forum. While our intrepid hero had no doubt that the forum members were determined to help him grab the tail of the dragon, he's not one to assume without confirmation, and enlisted the help of a graduate student at UCSD who was researching Bitcoin and anonymity on The Silk Road, and confirmed the address shared by Fly was used to deposit 2 BTC into an account known to be used for money management on the site. By Monday, an envelope from Chicago had arrived, containing a copy of Chicago confidential. Taped inside were tiny baggies filled with the purported heroin. Either dedicated to satisfied customers, or mathematically challenged, the seller had included thirteen baggies instead of the twelve advertised. A police officer arrived to take a report and whisked the baggies away. Now, Fly was upset that Krebs wasn't in handcuffs for drug possession, and decided to follow up his stunt by sending Krebs a floral arrangement shaped like a cross, and an accompanying threatening message addressed to his wife, the dire tone slightly undercut by the fact that it was signed "Velvet Crabs". Krebs' curiosity was already piqued from the shenanigans with the heroin, but with the arrival of the flowers decided to dive deeper into the сука behind things. He began digging into databases from carding sites that had been hacked, but got his first major breakthrough to his identity from a Russian computer forensics firm. Fly had maintained an account on a now-defunct hacking forum, whose database was breached under "Flycracker". It turns out, the email Flycracker had used was also hacked at some point, and a source told Krebs that the email was full of reports from a keylogger Fly had installed on his wife's computer. Now, because presumably his wife wasn't part of, or perhaps even privy to her husband's illicit dealings, her email account happened to be her full legal name, which Krebs was able to trace to her husband. Now, around this time, the site Fly maintained disappeared from the web, and administrators on another major fraud forum started purging his account. This is a step they typically take when they suspect a member has been apprehended by authorities. Nobody knew for sure, but they didn't want to take any chances. More research by Krebs revealed that the criminals' intuition had been correct, and Fly was arrested in Italy, carrying documents under an assumed name. He was sitting in an Italian jail, awaiting potential extradition to the United States, as well as potentially facing charges in Italy. This was relayed to Krebs by a law enforcement official who simply said "The Fly has been swatted". (Presumably while slowly removing a pair of aviator sunglasses) While Fly may have been put away, the story between Krebs and Fly wasn't quite over. He did end up being extradited to the US for prosecution, but while imprisoned in Italy, Fly actually started sending Krebs letters. Understandably distrustful after the whole "heroin" thing, his contacts in federal law enforcement tested the letter, and found it to be clean. Inside, there was a heartfelt and personal letter, apologizing for fucking with Krebs in so many ways. He also forgave Krebs for posting his identity online, leading him to muse that perhaps Fly was working through a twelve-step program. In December, he received another letter, this time a simple postcard with a cheerful message wishing him a Merry Christmas and a Happy New Year. Krebs concluded his post thusly:
Cybercrooks have done some pretty crazy stuff to me in response to my reporting about them. But I don’t normally get this kind of closure. I look forward to meeting with Fly in person one day soon now that he will be just a short train ride away. And he may be here for some time: If convicted on all charges, Fly faces up to 30 years in U.S. federal prison.
Criminals are none too happy when they find their businesses and identities on the front page of KrebsOnSecurity. It usually means law enforcement isn't far behind. One such business was known as vDOS. A DDOS-for-hire (also known as a "booter" or a "stresser") site that found itself hacked, with all their customer records still in their databases leaked. Analysis of the records found that in a four-month time span, the service had been responsible for about 8.81 years worth of attack time, meaning on average at any given second, there were 26 simultaneous attacks running. Interestingly, the hack of vDOS came about from another DDOS-for-hire site, who as it turns out was simply reselling services provided by vDOS. They were far from the only one. vDOS appeared to provide firepower to a large number of different resellers. In addition to the attack logs, support messages were also among the data stolen. This contained some complaints from various clients who complained they were unable to launch attacks against Israeli IPs. This is a common tactic by hackers to try and avoid unwanted attention from authorities in their country of residence. This was confirmed when two men from Israel were arrested for their involvement in owning and running vDOS. However, this was just the beginning for this bit of drama. The two men arrested went by the handles "applej4ck" and "Raziel". They had recently published a paper on DDOS attack methods in an online Israeli security magazine. Interestingly, on the same day the men were arrested, questioned, and released on bail, vDOS went offline. Not because it had been taken down by Israeli authorities, not because they had shut it down themselves, but because a DDOS protection firm, BackConnect Security, had hijacked the IP addresses belonging to the company. To spare a lot of technical detail, it's called a BGP hijack, and it basically works by a company saying "Yeah, those are our addresses." It's kind of amazing how much of the internet is basically just secured by the digital equivalent of pinky swears. You can read some more technical detail on Wikipedia. Anyway, we'll get back to BackConnect. Following the publication of the story uncovering the inner workings of vDOS, KrebsOnSecurity was hit with a record breaking DDOS attack, that peaked at 620/Gbps, nearly double the most powerful DDOS attack previously on record. To put that in perspective, that's enough bandwidth to download 5 simultaneous copies of Interstellar in 4K resolution every single second, and still have room to spare. The attack was so devastating, Akamai, one of the largest providers of DDOS protection in the world had to drop Krebs as a pro bono client. Luckily, Google was willing to step in and place his site under the protection of Google's Project Shield, a free service designed to protect the news sites and journalists from being knocked offline by DDOS attacks. This attack was apparently in retaliation for the vDOS story, since some of the data sent in the attack included the string "freeapplej4ck". The attack was executed by a botnet of Internet of Things (or IoT) devices. These are those "smart" devices like camera systems, routers, DVRs. Basically things that connect to the cloud. An astounding amount of those are secured with default passwords that can be easily looked up from various sites or even the manufacturers' websites. This was the start of a discovery of a massive botnet that had been growing for years. Now time for a couple quick side stories: Dyn, a company who provides DNS to many major companies including Twitter, Reddit, and others came under attack, leaving many sites (including Twitter and Reddit) faltering in the wake of it. Potentially due to one of their engineers' collaboration with Krebs on another story. It turned out that the same botnet that attacked Krebs' site was at least part of the attack on Dyn And back to BackConnect, that DDOS protection firm that hijacked the IP addresses from vDOS. Well it turns out BGP Hijacks are old hat for the company. They had done it at least 17 times before. Including at least once (purportedly with permission) for the address 220.127.116.11. Aka, "leet". It turns out one of the co-founders of BackConnect actually posted screenshots of him visiting sites that tell you your public IP address in a DDOS mitigation industry chat, showing it as 18.104.22.168. They also used a BGP Hijack against a hosting company and tried to frame a rival DDOS mitigation provider. Finally, another provider, Datawagon was interestingly implicated in hosting DDOS-for-hire sites while offering DDOS protection. In a Skype conversation where the founder of Datawagon wanted to talk about that time he registered dominos.pizza and got sued for it, he brings up scanning the internet for vulnerable routers completely unprompted. Following the publication of the story about BackConnect, in which he was included in, he was incensed about his portrayal, and argued with Krebs over Skype before Krebs ultimately ended up blocking him. He was subsequently flooded with fake contact requests from bogus or hacked Skype accounts. Shortly thereafter, the record-breaking DDOS attack rained down upon his site. Back to the main tale! So, it turns out the botnet of IoT devices was puppeteered by a malware called Mirai. How did it get its name? Well, that's the name its creator gave it, after an anime called Mirai Nikki. How did this name come to light? The creator posted the source code online. (The name part, not the origin. The origin didn't come 'til later.) The post purported that they'd picked it up from somewhere in their travels as a DDOS industry professional. It turns out this is a semi-common tactic when miscreants fear that law enforcement might come looking for them, and having the only copy of the source code of a malware in existence is a pretty strong indicator that you have something to do with it. So, releasing the source to the world gives a veneer of plausible deniability should that eventuality come to pass. So who was this mysterious benefactor of malware source? They went by the name "Anna-senpai". As research on the Mirai botnet grew, and more malware authors incorporated parts of Mirai's source code into their own attacks, attention on the botnet increased, and on the people behind it. The attention was presumably the reason why Hackforums, the forum where the source code was posted, later disallowed ostensible "Server Stress Tester" services from being sold on it. By December, "Operation Tarpit" had wrought 34 arrests and over a hundred "knock and talk" interviews questioning people about their involvement. By January, things started to come crashing down. Krebs published an extensive exposé on Anna-senpai detailing all the evidence linking them to the creation of Mirai. The post was so big, he included a damn glossary. What sparked the largest botnet the internet had ever seen? Minecraft. Minecraft servers are big business. A popular one can earn tens of thousands of dollars per month from people buying powers, building space, or other things. It's also a fiercely competitive business, with hundreds of servers vying for players. It turns out that things may have started, as with another set of companies, two rival DDOS mitigation providers competing for customers. ProTraf was a provider of such mitigation technology, and a company whose owner later worked for ProTraf had on at least one occasion hijacked addresses belonging to another company, ProxyPipe. ProxyPipe had also been hit with DDOS attacks they suspected to be launched by ProTraf. While looking into the President of ProTraf, Krebs realized he'd seen the relatively uncommon combination of programming languages and skills posted by the President somewhere else. They were shared by Anna-senpai on Hackforums. As Krebs dug deeper and deeper into Anna-senpai's online presence, he uncovered other usernames, including one he traced to some Minecraft forums where a photoshopped picture of a still from Pulp Fiction contained the faces of BackConnect, which was a rival to ProTraf's DDOS mitigation business, and another face. A hacker by the name of Vyp0r, who another employee of ProTraf claimed betrayed his trust and blackmailed him into posting the source of another piece of malware called Bashlite. There was also a third character photoshopped into the image. An anime character named "Yamada" from a movie called B Gata H Hei. Interestingly, under the same username, Krebs found a "MyAnimeList" profile which, out of 9 titles it had marked as watched, were B Gata H Hei, as well as Mirai Nikki, the show from which Mirai derived its name. It continues on with other evidence, including DDOS attacks against Rutgers University, but in short, there was little doubt in the identity of "Anna-senpai", but the person behind the identity did contact Krebs to comment. He denied any involvement in Mirai or DDOS attacks.
"I don’t think there are enough facts to definitively point the finger at me," [Anna-senpai] said. "Besides this article, I was pretty much a nobody. No history of doing this kind of stuff, nothing that points to any kind of sociopathic behavior. Which is what the author is, a sociopath."
I don't have the time or energy to write another effortpost, and as is I'm over 20,000 characters, so here's a few other tidbits of Krebs' clashes with miscreants.
A source and security researcher he was talking to started blabbing about him working with Krebs, and also was selling data to hackers on the side. His example data in his sales post was fucking Brian Krebs'.
Abstract As the most successful cryptocurrency to date, Bitcoin constitutes a target of choice for attackers. While many attack vectors have already been uncovered, one important vector has been left out though: attacking the currency via the Internet routing infrastructure itself. Indeed, by manipulating routing advertisements (BGP hijacks) or by naturally intercepting traffic, Autonomous Systems (ASes) can intercept and manipulate a large fraction of Bitcoin traffic. This paper presents the first taxonomy of routing attacks and their impact on Bitcoin, considering both small-scale attacks, targeting individual nodes, and large-scale attacks, targeting the network as a whole. While challenging, we show that two key properties make routing attacks practical: (i) the efficiency of routing manipulation; and (ii) the significant centralization of Bitcoin in terms of mining and routing. Specifically, we find that any network attacker can hijack few (<100) BGP prefixes to isolate ~50% of the mining power---even when considering that mining pools are heavily multi-homed. We also show that on-path network attackers can considerably slow down block propagation by interfering with few key Bitcoin messages. We demonstrate the feasibility of each attack against the deployed Bitcoin software. We also quantify their effectiveness on the current Bitcoin topology using data collected from a Bitcoin supernode combined with BGP routing data. The potential damage to Bitcoin is worrying. By isolating parts of the network or delaying block propagation, attackers can cause a significant amount of mining power to be wasted, leading to revenue losses and enabling a wide range of exploits such as double spending. To prevent such effects in practice, we provide both short and long-term countermeasures, some of which can be deployed immediately. References  “A Next-Generation Smart Contract and Decentralized Application Platform ,” https://github.com/ethereum/wiki/wiki/White-Paper.  “Bitcoin Blockchain Statistics,” https://blockchain.info/.  “bitnodes,” https://bitnodes.21.co/.  “Bitnodes. Estimating the size of Bitcoin network,” https://bitnodes.21.co/.  “CAIDA Macroscopic Internet Topology Data Kit.” https://www.caida.org/data/internet-topology-data-kit/.  “Dyn Research. Pakistan hijacks YouTube.” http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/.  “FALCON,” http://www.falcon-net.org/.  “FIBRE,” http://bitcoinfibre.org/.  “Litecoin ,” https://litecoin.org.  “RIPE RIS Raw Data,” https://www.ripe.net/data-tools/stats/ris/ris-raw-data.  “Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6.” https://www.caida.org/data/routing/routeviews-prefix2as.xml.  “Scapy.” http://www.secdev.org/projects/scapy/.  “The Relay Network,” http://bitcoinrelaynetwork.org/.  “ZCash,” https://z.cash/.  A. M. Antonopoulos, “The bitcoin network,” in Mastering Bitcoin. O’Reilly Media, Inc., 2013, ch. 6.  H. Ballani, P. Francis, and X. Zhang, “A Study of Prefix Hijacking and Interception in the Internet,” ser. SIGCOMM ’07. New York, NY, USA: ACM, 2007, pp. 265–276.  A. Boldyreva and R. Lychev, “Provable Security of S-BGP and Other Path Vector Protocols: Model, Analysis and Extensions,” ser. CCS ’12. New York, NY, USA: ACM, 2012, pp. 541–552.  J. Bonneau, A. Miller, J. Clark, A. Narayanan, J. A. Kroll, and E. W. Felten, “Sok: Research perspectives and challenges for bitcoin and cryptocurrencies,” in Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 2015, pp. 104–121.  P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese et al., “P4: Programming protocol-independent packet processors,” ACM SIGCOMM Computer Communication Review, vol. 44, no. 3, pp. 87–95, 2014.  C. Decker and R. Wattenhofer, “Information propagation in the bitcoin network,” in Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on. IEEE, 2013, pp. 1–10.  ——, Bitcoin Transaction Malleability and MtGox. Cham: Springer International Publishing, 2014, pp. 313–326. [Online]. Available: http://dx.doi.org/10.1007/978-3-319-11212-1_18  M. Edman and P. Syverson, “As-awareness in tor path selection,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, ser. CCS ’09, 2009.  I. Eyal, “The miner’s dilemma,” in 2015 IEEE Symposium on Security and Privacy. IEEE, 2015, pp. 89–103.  I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining is vulnerable,” in Financial Cryptography and Data Security. Springer, 2014, pp. 436–454.  N. Feamster and R. Dingledine, “Location diversity in anonymity networks,” in WPES, Washington, DC, USA, October 2004.  J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone protocol: Analysis and applications,” in Advances in Cryptology-EUROCRYPT 2015. Springer, 2015, pp. 281–310.  A. Gervais, G. O. Karama, V. Capkun, and S. Capkun, “Is bitcoin a decentralized currency?” IEEE security & privacy, vol. 12, no. 3, pp. 54–60, 2014.  A. Gervais, H. Ritzdorf, G. O. Karame, and S. Capkun, “Tampering with the delivery of blocks and transactions in bitcoin,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’15. New York, NY, USA: ACM, 2015, pp. 692–705.  P. Gill, M. Schapira, and S. Goldberg, “Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security,” ser. SIGCOMM ’11. New York, NY, USA: ACM, 2011, pp. 14–25.  S. Goldberg, M. Schapira, P. Hummon, and J. Rexford, “How Secure Are Secure Interdomain Routing Protocols,” in SIGCOMM, 2010.  E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, “Eclipse attacks on bitcoin’s peer-to-peer network,” in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 129–144.  Y.-C. Hu, A. Perrig, and M. Sirbu, “SPV: Secure Path Vector Routing for Securing BGP,” ser. SIGCOMM ’04. New York, NY, USA: ACM, 2004, pp. 179–192.  J. Karlin, S. Forrest, and J. Rexford, “Pretty Good BGP: Improving BGP by Cautiously Adopting Routes,” in Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols, ser. ICNP ’06. Washington, DC, USA: IEEE Computer Society, 2006, pp. 290–299.  E. K. Kogias, P. Jovanovic, N. Gailly, I. Khoffi, L. Gasser, and B. Ford, “Enhancing bitcoin security and performance with strong consistency via collective signing,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, 2016, pp. 279–296.  J. A. Kroll, I. C. Davey, and E. W. Felten, “The economics of bitcoin mining, or bitcoin in the presence of adversaries.” Citeseer.  A. Miller, J. Litton, A. Pachulski, N. Gupta, D. Levin, N. Spring, and B. Bhattacharjee, “Discovering bitcoin’s public topology and influential nodes.”  S. J. Murdoch and P. Zielinski, “Sampled traffic analysis by Internet- ´ exchange-level adversaries,” in Privacy Enhancing Technologies: 7th International Symposium, PET 2007, N. Borisov and P. Golle, Eds. Springer-Verlag, LNCS 4776, 2007, pp. 167–183.  K. Nayak, S. Kumar, A. Miller, and E. Shi, “Stubborn mining: Generalizing selfish mining and combining with an eclipse attack,” IACR Cryptology ePrint Archive, vol. 2015, p. 796, 2015.  T. Neudecker, P. Andelfinger, and H. Hartenstein, “A simulation model for analysis of attacks on the bitcoin peer-to-peer network,” in IFIP/IEEE International Symposium on Internet Management. IEEE, 2015, pp. 1327–1332.  P. v. Oorschot, T. Wan, and E. Kranakis, “On interdomain routing security and pretty secure bgp (psbgp),” ACM Trans. Inf. Syst. Secur., vol. 10, no. 3, Jul. 2007.  A. Pilosov and T. Kapela, “Stealing The Internet. An Internet-Scale Man In The Middle Attack.” DEFCON 16.  Y. Rekhter and T. Li, A Border Gateway Protocol 4 (BGP-4), IETF, Mar. 1995, rFC 1771.  M. Rosenfeld, “Analysis of hashrate-based double spending,” arXiv preprint arXiv:1402.2009, 2014.  A. Sapirshtein, Y. Sompolinsky, and A. Zohar, “Optimal selfish mining strategies in bitcoin,” CoRR, vol. abs/1507.06183, 2015.  E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza, “Zerocash: Decentralized anonymous payments from bitcoin,” in 2014 IEEE Symposium on Security and Privacy. IEEE, 2014, pp. 459–474.  B. Schlinker, K. Zarifis, I. Cunha, N. Feamster, and E. Katz-Bassett, “Peering: An as for us,” in Proceedings of the 13th ACM Workshop on Hot Topics in Networks, ser. HotNets-XIII. New York, NY, USA: ACM, 2014, pp. 18:1–18:7.  J. Schnelli, “BIP 151: Peer-to-Peer Communication Encryption,” Mar. 2016, https://github.com/bitcoin/bips/blob/mastebip-0151.mediawiki.  X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu, “Detecting prefix hijackings in the Internet with Argus,” ser. IMC ’12. New York, NY, USA: ACM, 2012, pp. 15–28.  Y. Sompolinsky and A. Zohar, “Secure high-rate transaction processing in bitcoin,” in Financial Cryptography and Data Security. Springer, 2015, pp. 507–527.  Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal, “RAPTOR: Routing attacks on privacy in TOR.” in USENIX Security, 2015.  A. Tonk, “Large scale BGP hijack out of India,” 2015, http://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/.  ——, “Massive route leak causes Internet slowdown,” 2015, http://www.bgpmon.net/massive-route-leak-cause-internet-slowdown/.  L. Vanbever, O. Li, J. Rexford, and P. Mittal, “Anonymity on quicksand: Using BGP to compromise TOR,” in ACM HotNets, 2014.  Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao, “Practical defenses against BGP prefix hijacking,” ser. CoNEXT ’07. New York, NY, USA: ACM, 2007.  Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush, “iSPY: Detecting IP prefix hijacking on my own,” IEEE/ACM Trans. Netw., vol. 18, no. 6, pp. 1815–1828, Dec. 2010.
I decided to post this here as I saw some questions on the QRL discord.
Is elliptic curve cryptography quantum resistant?
Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key (and public key since they form a pair) from elliptic curve cryptography would be quantum resistant.)
Why would Nexus be any differtent?
Why are WOTS+ signatures (and by extension XMSS) quantum resistant?
What is WOTS+?
What are the risks of WOTS+?
How is XMSS different?
Is elliptic curve cryptography quantum resistant? No. Using a quantum computer, Shor's algorithm can be used to break Elliptic Curve Digital Signature Algorithm (ECDSA). Meaning: they can derive the private key from the public key. So if they got your public key, they got your private key, and they can empty your funds. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attackshttps://eprint.iacr.org/2017/598.pdf Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key from elliptic curve cryptography (and public key since they form a pair) would be quantum resistant.) Ok, just gonna start with the basics here. Your address, where you have your coins stalled, is locked by your public- private key pair. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. If you got your address and your password, then you can access your mail and send emails (Transactions). Now if there would be a quantum computer, people could use that to calculate your password/ private key, if they have your email address/ public key. What is the case with BTC: they don't show your public key anywhere, untill you make a transaction. So your public key is private untill you make a transaction. How do they do that while your funds must be registered on the ledger? Wel, they only show the Hash of your public key (A hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output. But everytime you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key IFUHE8392ISHF, while on the chain, they are on G.) So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to. By the way, in the early days you could use your actual public key as your address. And miners would receive coins on their public key, not on the hashed public key. That is why all the Satoshi funds are vulnerable to quantum attacks even though these addresses have never been used to make transactions from. These public keys are already public instead of hashed. Also certain hard forks have exposed the public keys of unused addresses. So it's really a false sense of security that most people hang on to in the first place. But it's actually a false sense of security over all. Since it is impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as you don't make any transaction. Now here follows the biggest misconseption: Pretty much everyone will think, great, so BTC is quantum secure! It's not that simple. Here it is important to understand two things: 1 How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address. When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction that will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender. That package ends up carrying roughly the following info: The public key to point to the address where the funds will be coming from, the amount that will be transferred, the public key of the address the funds will be transferred to. Then this package caries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightfull owner and you can send funds from that public key. So this package is then sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity." And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node. 2 How is a transaction confirmed/ fullfilled and registered on the blockchain? After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes. If you comprehend the information written above, you can see that there are two moments where you can actually see the public key, while the transaction is not fullfilled and registered on the blockchain yet. 1: during the time the transaction is sent from the sender to the nodes 2: during the time the nodes verify the transaction. This paper describes how you could hijack a transaction and make a new transaction of your own, using someone elses address to send his coins to an address you own during moment 2: the time the nodes verify the transaction: https://arxiv.org/pdf/1710.10377.pdf "(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." So this means that practically, you can't call BTC a quantum secure blockchain. Because as soon as you will touch your coins and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack. Why would Nexus be any differtent? If you ask the wrong person they will tell you "Nexus uses a combination of the Skein and Keccak algorithms which are the 2 recognized quantum resistant algorithms (keccal is used by the NSA) so instead of sha-256, Nexus has SK-1024 making it much harder to break." Which would be the same as saying BTC is quantum resistant because they use a Hashing function to hash the private key as long as no transaction is made. No, this is their sollid try to be quantum resistant: Nexus states it's different because they have instant transactions (So there wouldn't be a period during which time the nodes verify the transaction. This period would be instant.) Also they use a particular order in which the miners verify transactions: First-In-First-Out (FIFO) (So even if instant is not instant after all, and you would be able to catch a public key and derive the private key, you would n't be able to have your transaction signed before the original one. The original one is first in line, and will therefore be confirmed first. Also for some reason Nexus has standardized fees which are burned after a transaction. So if FIFO wouldn't do the trick you would not be able to use a higher fee to get prioritized and get an earlyer confirmation. So, during during the time the nodes verify the transaction, you would not be able to hijack a transaction. GREAT, you say? Yes, great-ish. Because there is still moment # 1: during the time the transaction is sent from the sender to the nodes. This is where network based attacks could do the trick: There are network based attacks that can be used to delay or prevent transactions to reach nodes. In the mean time the transactions can be hijacked before they reach the nodes. And thus one could hijack the non quantum secure public keys (they are openly included in sent signed transactions) who then can be used to derive privatekeys before the original transaction is made. So this means that even if Nexus has instant transactions in FIFO order, it is totally useless, because the public key would be obtained by the attacker before they reach the nodes. Conclusion: Nexus is Nnot quantum resistant. You simply can't be without using a post quantum signature scheme. Performing a DDoS attack or BGP routing attacks or NSA Quantum Insert attacks on a peer to peer newtork would be hard. But when provided with an opportunitiy to steal billions, hackers would find a way. For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/ For BTC: https://eprint.iacr.org/2015/263.pdf "An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain." That is exactly the receipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do. By the way, yes this seems to be fixed now, but it most definately shows it's possible. And there are other creative options. Either you stop tranasctions from the base to get out, while the sender thinks they're sent, or you blind the network and catch transactions there. There are always options, and they will be exploited when billions are at stake. The keys can also be hijacked when a transaction is sent from the users device to the blockchain network using a MITM attack. The result is the same as for network based attacks, only now you don't mess with the network itself. These attacks make it possible to 1) retrieve the original public key that is included in the transaction message. 2) Stop or delay the transaction message to arrive at the blockchain network. So, using a quantum computer, you could hijack transactions and create forged transactions, which you then send to the nodes to be confirmed before the nodes even receive the original transaction. There is nothing you could change to the Nexus network to prevent this. The only thing they can do is implement a quantum resistant signature scheme. They plan to do this in the future, like any other serious blockchain project. Yet Nexus is the only of these future quantum resistant projects to prematurely claim to be quantum resistant. There is only one way to get quantum resistancy: POST QUANTUM SIGNATURE SCHEMES. All the rest is just a shitty shortcut that won't work in the end. (If you use this info on BTC, you will find that the 10 minutes blocktime that is used to estimate when BTC will be vulnerable for quantum attacks, can actually be more then 10 minutes if you catch the public key before the nodes receive them. This makes BTC vulnerable sooner thatn the 10 min blocktime would make you think.) By the way, Nexus using FIFO and standadrized fees which are burned after the transaction comes with some huge downsides:
FIFO: If there are a lot of transactions, there would be nothing you can do to create a faster transaction. If you need a quick transaction during rush hours, you can’t pay a higher fee to get priority.
Fees are burned after the transactions. This means they are not sent to miners, which would lesser the incentive to mine. Also, because only Blockrewards pay miners, what if the max supply is reached in the future and there is nothing to pay out blockrewards? What would be the incentive to mine or stake?
The risk that comes with small standardized fees is that when someone is willing to pay to harm or spam your chain, they can force spam or small transactions into the system without you being able to stop them. (Miners wouldn't be able to exclude lower fee transactions containing spam or extremely small amounts meant for clogging the chain)
Another risk that comes with small standardized fees would be this: How do you prevent big backlog if there is no higher fee incentive for miners at rush hours to come mine? Usually fees follow the free market? So the larger the backlog of transactions, the higher the fees usually are. This then leads to more miners joining in and that way reducing backlog. Having fixed fees would cancel out that possibility. So the risk of backlog would be huge.
Why are WOTS+ signatures (and by extension XMSS) more quantum resistant? First of all, this is where the top notch mathematicians work their magic. Cryptography is mostly maths. As Jackalyst puts it talking about post quantum signature schemes: "Having papers written and cryptographers review and discuss it to nauseating levels might not be important for butler, but it's really important with signature schemes and other cryptocraphic methods, as they're highly technical in nature." If you don't believe in math, think about Einstein using math predicting things most coudldn't even emagine, let alone measure back then. Then there is implementing it the right way into your blockchain without leaving any backdoors open. So why is WOTS+ and by extension XMSS quantum resistant? Because math papers say so. With WOTS it would even take a quantum computer too much time to derive a private key from a public key. https://en.wikipedia.org/wiki/Hash-based_cryptographyhttps://eprint.iacr.org/2011/484.pdf What is WOTS+? It's basiclally an optimized version of Lamport-signatures. WOTS+ (Winternitz one-time signature) is a hash-based, post-quantum signature scheme. So it's a post quantum signature scheme meant to be used once. What are the risks of WOTS+? Because each WOTS publishes some part of the private key, they rapidly become less secure as more signatures created by the same public/private key are published. The first signature won't have enough info to work with, but after two or three signatures you will be in trouble. IOTA uses WOTS. Here's what the people over at the cryptography subreddit have to say about that: https://www.reddit.com/crypto/comments/84c4ni/iota_signatures_private_keys_and_address_reuse/?utm_content=comments&utm_medium=user&utm_source=reddit&utm_name=u_QRCollector With the article: http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/ Mochimo uses WOTS+. They kinda solved the problem: A transaction consists of a "Source Address", a "Destination Address" and a "Change Address". When you transact to a Destination Address, any remaining funds in your Source Address will move to the Change Address. To transact again, your Change Address then becomes your Source Address. But what if someone already has your first address and is unaware of the fact you already send funds from that address? He might just send funds there. (I mean in a business environment this would make Mochimo highly impractical.) They need to solve that. Who knows, it's still a young project. But then again, for some reason they also use FIFO and fixed fees, so there I have the same objections as for Nexus. How is XMSS different? XMSS uses WOTS in a way that you can actually reuse your address. WOTS creates a quantum resistant one time signature and XMSS creates a tree of those signatures attached to one address so that the address can be reused for sending an asset.
Hi /Bitcoin , I am open to correction on any areas I have have misunderstood, but I do have some concerns for the future of mining and consensus. Miners receive BTC for mining new blocks, these can be physical individual miners or logical mining pools. Block rewards will continue diminishing until all Bitcoins are in circulation, ETA the year 2140. In the run up to this date, Bitcoin mining will become less and less feasible, and assuming BTC finds a stable price prior to this date then profitability will also decline. Without a large number of miners, the Bitcoin network could become more and more centralized over the years, allowing a single entity to reach consensus once more. Therefore the Network could be hijacked, resulting in the end of Bitcoin. In an alternate scenario, mining fees continue to increase to combat the diminishing profitability of block rewards. As you are all aware, mining fees are already becoming a growing concern and are accelerating the deflationary nature of Bitcoin, i.e a wallet with $20 worth of BTC may find it impossible to move this BTC. This leads to an eventuality where millions of users can own and store BTC, but are unwilling to transact with it. The reduction of transactions reduces the mining fee income and profitability of miners, who cease operation and the Network becomes more centralized than ever. In a final scenario, these concerns are addressed early and maintaining the hash power of the network becomes a recognized public utility, and Service-Provider are delegated the responsibility of hosting mining farms to validate transactions. Similar to BGP, the running of the full Internet Routing Table becomes a Service-Provider task. Individual miners cease operations, and the Network becomes more centralized than ever. With the current state of the protocol, I see no future scenario where the Bitcoin Network can remain both usable and decentralized. Without one, the other is worthless. Any feedback is appreciated.
Did I forget anything? Of course I did! Please let me know in the comments and I'll add it here! It's 9:30AM EST and we've found 89.42% of our initial 100 Billion DOGEs -- only 10.58% remains until our period of Hyper-inflation ends! Our Global Hashrate is up from ~43 to ~45 Gigahashes per second and our Difficulty is up from ~633 to ~773. As always, I appreciate your support! GoodShibe
Hijacking Bitcoin: routing attacks on cryptocurrencies Apostolaki et al., ... It turns out that if you can hijack less than a hundred BGP prefixes (feasible) you can isolate about 50% of the mining power in the network. Once a collection of nodes are partitioned from the network the network becomes more vulnerable to double spending attacks, transaction filtering, and selfish mining attacks ... I was reading about a famous Bitcoin case of BGP hijacking. Reportedly around 80000 dollars were stolen from bitcoin miners who were tricked to send mining data to the hacker's server instead of the real one. Apparently, the prefixes where the bitcoin servers were located were announced with shorter prefixes, making the traffic flow there, by the longest prefix match. In the article on BGPmon ... Bitcoin in terms of mining and routing. Speciﬁcally, we ﬁnd that any network attacker can hijack few (<100) BGP preﬁxes to isolate ˘50% of the mining power—even when considering that mining pools are heavily multi-homed. We also show that on-path network attackers can considerably slow down block propagation by interfering with few key Bitcoin messages. We demonstrate the feasibility ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies Abstract: As the most successful cryptocurrency to date, Bitcoin constitutes a target of choice for attackers. While many attack vectors have already been uncovered, one important vector has been left out though: attacking the currency via the Internet routing infrastructure itself. Indeed, by manipulating routing advertisements (BGP ... We also quantify their effectiveness on the current Bitcoin topology using data collected from a Bitcoin supernode combined with BGP routing data. The potential damage to Bitcoin is worrying. By isolating parts of the network or delaying block propagation, attackers can cause a significant amount of mining power to be wasted, leading to revenue losses and enabling a wide range of exploits such ...
Hijacking Bitcoin: Routing Attacks on Cryptocurrencies ...
AT&T Data Security Analysts discuss the challenges that the community faces when it comes to BGP. Originally recorded November 3rd, 2015. See the full episod... BGP - From Route Hijacking to RPKI: How Vulnerable is the Internet? - Duration: 24:44. ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - Duration: 21:14. IEEE Symposium on Security and ... BGP - From Route Hijacking to RPKI: How Vulnerable is the Internet? - Duration: 24:44. ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - Duration: 21:14. IEEE Symposium on Security and ... BGP Route Leak Misdirects Google Cloud Traffic Through Russia & China - Duration: 4:30. ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies - Duration: 21:14. IEEE Symposium on Security and ... Hijacking Bitcoin: Routing Attacks on Cryptocurrencies Maria Apostolaki (ETH Zürich) Presented at the 2017 IEEE Symposium on Security & Privacy May 22–24, 20...