If you are a massive crypto exchange and tens of thousands of accounts are hacked, is it the tens of thousands of users' fault, or is it possible that maybe the company's cyber hygiene isn't passing the "sniff" test?
Join the PTG team as they discuss the hacks and explore what exactly is going on.
Links:
Host: Craig
Cohosts: BJ & Erin
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
If you are a massive crypto exchange and tens of thousands of accounts are hacked, is it the tens of thousands of users' fault, or is it possible that maybe the company's cyber hygiene isn't passing the "sniff" test?
Join the PTG team as they discuss the hacks and explore what exactly is going on.
Links:
Host: Craig
Cohosts: BJ & Erin
Support the show - Call 877-468-2721 or visit https://petronellatech.com
Please visit YouTube and LinkedIn and be sure to like and subscribe!
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
Good afternoon, everybody. My name is Craig Petronella. Welcome to another cybersecurity podcast. So what topic did you guys choose for the day?
Erin:we went in to take a look at the Coinbase issues that are going on right now and talk about what people can do to protect themselves, after doing some research into this is pretty bad.
Craig:Did you see that one that was 15 or$17 million.
Erin:Yeah. In a matter of 10 minutes it was gone, as soon as the person put their money in it.$11.6 million lost and under 10 minutes. Because they fell for a fake notification scam. But the weird thing was that this notification popped up saying that it was from Coinbase. And that something was wrong with their account, as soon as the person signed up for it and put the money in
Craig:So what that tells me is that they must've been spying on their email or something. To be able to do that. We talked about this yesterday how they were looking for keywords, like wire transfers or some kind of ACH or something like that. And then all of a sudden they would resurface. I looked at a bunch of the links for the Coinbase issues and there's numerous issues, but they didn't really explain how, they didn't say, this is how it happened.
Erin:Yeah, because I think they're unsure at this point. I think what it sounds like to me is that it's either, like you're saying that there's been somebody on their account or it could have been, speculation. But how do we know it wasn't an insider job?
Craig:And the other thing that's a little nerve wracking, at least from my perspective from the cybersecurity side is it was a little confusing how Coinbase custody, which is separate claim based custody is there secure. but it's different than coinbase.com. They're two separate entities. So the Coinbase custody has what's called a SOC two type two report, but the regular one doesn't appear to have anything. So than coinbase.com. They're two separate entities. So the Coinbase custody has what's called a SOC two type two report, but the regular one doesn't appear to have anything. So that's pretty alarming. And then if you look at some of the other exchanges, they have much more security with leverage trading and things like that. You couldn't even add a wallet address on cracking without authenticating five times or whatever it was
BJ:yeah, it's fairly complicated. You know what else I've noticed about Coinbase I use both, I use Coinbase and I use the one that has the lesser securities that you described, not the one that has all the SOC two type stuff.
Craig:you don't use the Coinbase custody to trade it storage. It's just cold storage. It's their platform.
BJ:Maybe I'm confusing two different things. Cause they have Coinbase app and then they have Coinbase wallet or something.
Craig:No they have coinbase and then they have Coinbase pro. So Coinbase is The down version and then Coinbase pro has got some more advanced graphing and things like that for more day trading.
BJ:If those are the right two that I'm thinking of, they're not entertainable you have to sign up for them separately and set up wallet for them.
Craig:hold on, you actually can use one account, but the wallets are not the same. You can switch, if you're a Coinbase, you can go to Coinbase without creating a whole nother ID verified user account, but the wallet addresses are different.
BJ:Is different, I use an apple phone, so I set up facial recognition to log in, as a second step that has to authorize my face. It keeps dropping off for some reason. So I've set it up multiple times and it'll work for a few days and it'll keep making me do the face verification and then it'll drop off and then it doesn't require it. And I don't know why it's dropping off because I'm not changing anything in the settings, but something's inconsistent with the technology they're using because it's not staying there. That setting is not staying.
Craig:other thing that pretty alarming when I was looking at some of the news articles and doing some research and, there's the article about the attorney that had about a million dollars him and his wife had in crypto and it sounded like he had multifactor enabled. And then he was driving or something. And then he got a notification I think it said the notification was by text message. I'd have to go back and look at it. So, that notification was obviously the bad actor and all his stuff got wiped out and it was just a big mess and nobody gave him a straight answer on how it all happened. is it an insider job or what's going on? I was looking into it and the lack of a SOC report it's kind of alarming we talk about NIST and different kinds of frameworks around NIST 801 71 and ISO 27,001 and all these different regulatory frame. But why isn't there a public available download for Coinbase?
Erin:So what it says here too, which I think is really interesting, just reading I'll link this post but it says that the retired attorney clicked on the message, which said someone had logged into his account. So it was actually accurate, but then he logged on and soon he got an email. That is two factor authentication had been changed. So as security settings had been compromised somehow, right? He was able to log in and he watched it as they're withdrawing, but he couldn't do anything. And the problem is that Coinbase, they only have email they've since changed it, but they didn't have any phone lines to contact anybody there to stop it. So he was just watching this happen.
Craig:But you would think that there would be some kind of additional security safeguards around, logging in, even if they successfully authenticate, if they're coming in from an adversarial country and the ID verification check was New York or Florida or whatever. that's probably going to throw a red flag. Right? Why wouldn't somebody notify him and say, look, is this you? Kind of like a credit card. When you're out of town on vacation and you don't go to that place to use the gas station or whatever to fill up your car sometimes you'll get a fraud alert. So why isn't there kind of technology like that?
BJ:again a situation like you pointed out the difference in security levels between the exchanges, because you have a lot of entry-level crypto enthusiasts on Coinbase. And I use it too, because it's very convenient, right? That's the C word, very convenient, because you can really transfer money very quickly because they don't have all the extra measures because when you use crack in, for example, if you use a new device, not even being outside of the country or anything, but any new device it's going to make you verify it by email. Cause I use a. VPN. And so it makes me do it every single time. so that's just another layer there and then they have that global settings lock. So yeah, this is a trade-off with the convenience, but you pointed out a good thing to talk about Erin too. Not saying that there was insider threat because it very well may not have been, but it's a good topic to bring up. As Craig always mentioned training is so important and we see a lot of organizations that don't do trainings with their employees. And so they don't know what to look for, but happens there was just an article yesterday and this happened years ago, but I guess there was an interview done with that singer Grimes. Who's Elon Musk's off and on significant other. And she had admitted in the interview and now might be facing legal ramifications. But in the interview, she admitted that years ago, someone had taken a photo of her that she didn't want posted, and they posted it on their blog. And she had a friend who worked at a gaming company and that friend. Tap into the network somehow and did a dos on them to get that picture down. And they blackmailed them had told them they had to take the picture down or they wouldn't get it back up. So basically she essentially admitted to hacking this company over a picture. That's just a perfect example right there. That's Elon Musk girlfriend so these things happen and it's unfortunate, but it's true. And so training is very important to know what to look for.
Craig:I've always had training on both sides, for the company or the exchange as well as the individual training is so essential nowadays. the testing, the training, the attestation, their certificates of compliance, all of that. It's all necessary now.
BJ:If not for you training us on what to look for with phishing emails, I can probably think of 50 examples of things I would have clicked on in the last six months alone.
Craig:It's right before we fired off the podcast on this, I got a phishing email it says in big blue base coin, hyphen base. And then it says, dear customer, we found unusual and suspicious the activities in your Coinbase account. We decided to ban your account to protect you from any. Please call the support team now for ID verification and to continue your use of your account note failure to do this will result in a permanent ban on your account. Thanks and regards team psychology. 4 0 9 0 7 number. And then it comes from a Gmail user.
Erin:Oh, my gosh.
BJ:They're sold layered. Just how you always preach about cybersecurity. It needs to be layered, as you can see from this phishing email example. This is a layered approach to a social engineering campaign. Because number one, they hijacked off of a news story. There's things going on with Coinbase. Then they're preying on your fears about something happening to your account. Then they're preying on your fears mixed with dignity and whatever, because now they're saying that you might be banned. So now that hits a different chord in your mind. And then not only from a psychological perspective, are they using a layered approach I would venture to say that every link in that email and the phone number itself, it's probably dated with something ugly. And so the possibilities of you doing something that will negatively impact you are probably layered as well in that email. So they're using a layered approach to everything they do as well.
Erin:if you think about it, the times that we've done our own fishing campaign. It is very layered, you have to think about everything. You have to think about what it's going to look like. is the email going to go to spam?
BJ:And to be clear, we did phishing campaigns as part of a pin test.
Craig:even in our own practice, remember we made the decision to use a system with dashboard technology because of all the phishing emails, we wanted to make sure that our ecosystem and our clients were. Messages from us and they wouldn't be fished emails. So we encourage them to use the portal system. So just like with your bank. Your bank is not supposed to be sending you emails. And if you have a notification you're supposed to log into your dashboard account and things like that, but never ever log in with the link on the email.
BJ:Right. go the normal way. You didn't get that email, do it how you normally do it without responding directly.
Craig:And never called the phone number in the email. Always go direct to the manufacturer, the website, and call on the contact page.
BJ:Yeah, we should mention that people don't realize that phone numbers can have spyware linked to them. And I don't mean to be over alarming cause people have enough to worry about, but it's just true. Don't dial numbers that are linked to these types of messages you get because the numbers themselves can be linked to spyware and
Craig:They could have highly trained social engineering people on the other ends that are persuading them to divulge more personal identifiable information
BJ:Not to mention how metrics angle of your voice being recorded. And we know there's technology out there that can duplicate a human voice
Craig:Yeah, that's a good point. So you have to be careful. They might ask you questions that you'll have to say whatever, so they might record your voice saying that.
BJ:This seems like total chaos. They're out there right now. We can have hope that maybe this will all start to get better. Proper cyber hygiene is obviously the right routes, for this to get better. And that's a good time to mention for an example, you can't underestimate any threats out there. Let's talk about the fact that Microsoft and huge big tech companies, huge big tech companies, possibly what we know they got breached, but it's looking like possibly they were breached by a group that's led by a teenager. And that's the fact of the state of things that we're in. You cannot underestimate any threats out there in cyberspace. You have to take the proper precautions. If microsoft and in video were reached by the teenage.
Craig:I want to bring it back to this Coinbase thing for a second. Unique identifier. Typically a network called a Mac address. If I'm going to sign up for Coinbase from my phone or from my desktop, there's going to be a unique Mac address ID on my phone, and there's going to be unique Mac address idea on my desktop. Why couldn't a white listing technology be enabled such that when I sign up, that's kind of like your IP address, right? It goes a step further because this is a hardware Mac address. Why not have these things on. That are part of my profile and persona of who I am. So that when a bad actor tries to exploit that and the check doesn't match, meaning the Mac addresses that match and the IP. You have all these red flags, right? it should throw a big red flag to support saying, Hey, look, they're not really who they say they are. But my point though, is that the business needs to be taking security seriously and be taking it more seriously than the average consumer. So these are basic things that should be done for any business, like a bank. Anything, There might be a legitimate reason you're on vacation, whatever, but There should be either a support person or somebody stepping in to say, Hey, look, this is a red flag. this real, let's reach out to that person.
BJ:Right.
Erin:Yeah, absolutely.
BJ:In the defense of Coinbase, this problem is very widespread. They're making mistakes with their security and so is pretty much everyone else, right? Because you remember, we had a situation with a financial institution and we found evidence during our pen test of multiple brute force attempt attacks on specific employees and, it didn't seem to be too alarming to staff and, we, and our partners with the AI driven software found it to be very alarming. It's just a common and very widespread problem, right? Craig, you're very meticulous about cybersecurity and cyber layers. And you set up a very pristine environment, in your cyberspace and that's not common.
Craig:I think the other missing link here is that since crypto specifically is still regulations are still being hashed out and decided upon, I think the big differentiator though, of a bank, for example, if any consumer goes and opens a bank account, they immediately get what's called FDI. Insurance on that bank account. I can't remember if it's a hundred thousand or 250,000 or something like that. Where if something were to happen, there's that insurance, right? Where I don't, I'm not aware of any kind of insurance like that, that exists on the crypto side yet. maybe there is, but I've never seen it.
BJ:no cyberspace. And then crypto definitely falls under that umbrella is the wild west, right? We get calls all the time from people that are frantic about hacks, that they think have happened on their home network or small business network. And there's a common misconception that there's a Ghostbuster line to call for cyber, events that have happened. People don't realize there's really not anyone to call. You could call it a private business like us, and enlist our services. But as far as public assistance, a nine 11 type situation, there's not anyone to call
Craig:It's, just out of scope and complicated, right?
BJ:It's cutting edge. And even the government, as we know, has been behind on their cyber
Craig:yeah. So it's not just exchanges. It's banks, it's everyday businesses. It's the supply chain. these issues are everywhere, but I think if we simmer down these regulations, Adopt CMMC that's the most modern framework, make every business of all shapes and forms adhere to that standard. Simplify it. Do the third-party audits. Do the assessments, do the third-party pen tests, all that stuff. Do the checks and balances keeping cyber and it separate. that's the way forward.
BJ:And even as a more basic starting point, just that list, that was linked to the Biden announcement. The newest and most modern, effective cyber tools and enlist help of a professional,
Craig:going back to the MFA though, wasn't there something at Coinbase that there was an issue with their mFA. There's not just one or two people over 6,000 people affected. That's not a small number I'm speculating when I say this, but is it possible that all of them fell victim to that?
BJ:Yeah, that's a good question.
Craig:A full investigation and forensic would have to be done, but my point is that it's kind of interesting that so many people are affected then this flaw happens. all these people are left without the money. Basically life savings were drained and they have no recourse. You know what I mean? It's just doesn't seem right.
Erin:Yeah, actually, it's speaking on that too. There's something that I highlighted in here. The lawyer that retired lawyer, they got$700,000 stolen from him There's two different ones. There's one that was 11.6 million. But theirs was the one that was only$700,000. But it says here, they eventually did set up a call center so that you can speak to somebody live, but they have very strict regulations about who can actually call. so after they finally set that up, he talked to somebody and after a couple months they gave him$500 in Bitcoin he says it felt like they kicked sand in my face. Is there even anybody senior at Coinbase looking at this, somebody make a calculation and said, okay, this is what happened to this guy. He lost 21 Bitcoin. Let's give him$500.
Craig:So that guy was a lawyer that this happened to, right? Lawyers pretty sophisticated. Again, I'm speculating. I don't know enough about the situation. this whole thing is quite puzzling for me from a cyber perspective. Why would they give him$500 in Bitcoin or anything for that matter? If their stance stances, they didn't do anything wrong.
BJ:I guess they labeled it like a courtesy credit of some sort, which is more of an interest in the credit.
Erin:What's that 0.1% or something like that.
BJ:Pretty low, but the crypto is a different animal because a lot of people that are crypto enthusiasts and believers are putting their life savings into crypto. And so this is a real dangerous situation for the common folk, because a lot of people are putting their hopes in money into crypto.
Craig:I've said this many, many times the golden rule for that is stored on a cold wallet, I know people have said, well, what if the cold wallet fails? The funds don't actually live on that hardware. In your wallet, which is the 24 word passphrase. So you get the hardware. Hardware is going to fail. Right. But everyone listening, never, ever disclose that 24 weeks. that is everything for you. You have to protect that like a golden bar. You can't share it with anybody. Don't type it on anything on your computer. Don't digitize it, it needs to be physically secured I would not copy it, because if anybody gets those 24 words, they can recreate that wallet and liquid. They don't have the hardware. A lot of people think, oh, what's really in this ledger, that's where all my crypto goes and it's cold because it's not connected to anything. This is the Bluetooth ledger nano X. So, people think, oh, my crypto's here. No. When you get this thing and by the way, don't ever buy one of these, unless you buy it direct from the manufacturer, never buy from a reseller, never ever buy it from eBay. My point is when you set that thing up, the first thing that you do is it says, okay, we need to create your wallet. We're going to give you 24 words and it shows you all these different words. And then you write them down. You physically write them in pen, on a card it comes with. Okay. That is the creation with Krypton tography of your wallet.
BJ:what's the point of that thing in your hand then if the 24 words are the wallet, why do you need that machine
Craig:because, this gives you the ability to, put a pin number on it and then connect it to your computer to authorize transactions. So that's the function of the hardware.
BJ:Oh, okay. So you don't have to type the 24 words. You're protecting with that.
Craig:Remember we talked about hashing and salting. They're hashed in this. So the only thing that you have to remember as a human is the pin number you said,
BJ:so you're predicting the 24 words by using that device
Craig:the 24 words are where your money is.
BJ:From a cryptography standpoint, that's more secure than a 24 digit password.
Craig:24 Words, like words much more secure, You could literally buy two of them or three of them, or five of them or 10 of them. You could set them all up with that same 24 word passphrase, and then they're all clones of one another. They're all exactly the same. them out to family or trusted members. And then when you want to authorize a transaction, you can do that. There's other things called multisig and more advanced things that are even far more secure than that. But if most people would just use cold wallets, then a lot of this stuff would be so much more secure.
BJ:Oh, wow. Even if someone gets your cold wallet, let's just say someone's fuels it physically from your house Never write that down. I didn't realize that the 24 words was actually the money. The knowledge is the power and you're protecting the knowledge by backing it to that device and linking it through a code. So that makes a lot of sense. So that definitely sounds like the right way to store crypto.
Erin:a question too, about that. Can you use an authenticator or a onetime authentication password
Craig:Ledger has software called ledger life that you can connect. And when you connect with ledger live, it asks you to physically connect it or use Bluetooth and then use your pin number to authenticate, and then you have to accept or allow the transit. so you have to go through those hoops. So let's say, I want to send you Bitcoin. I would have to have, what's called the Bitcoin app on the ledger device. I'd have to open the ledger and the way to open it is to enter my pin number. Once I enter my pin number and it successfully authenticates, I can open any of the apps on there. If I'm going to transfer Bitcoin or buy Bitcoin, I'm going to open the Bitcoin app and then I'm going to communicate it. Leger live of what am I doing? My selling it, or my buying it, transferring it, whatever. And then it'll say, okay, do you authorize this transaction? You have to approve or deny it within a certain period of time. it's all got authentication layers.
BJ:Definitely. That's definitely enhanced security. And we know that a comment people may not realize, but we're Petronella technology group in petrol, a cybersecurity, but also blockchain security is us. And this is a good time to mention that there's a very common misconception amongst the whole web three blockchain crypto crowd. That blockchain is just inherently secure. let me be clear. The blockchain itself, the chain is considered an immutable record because each block has a portion of the previous block and it's, held by so many different people or nodes. That part may be true, but the infrastructure that you're using. Access that chain, your network, your IOT, connected devices, all these things that we're hearing, all these possible ways that something can be breached, back's all still vulnerable. And so just because you are using crypto, it doesn't mean you're not susceptible to a breach or a hack. That's not true at all. And the chain itself is considered secure. But nothing else other than the chain is considered secure, everything connected to the chain is still a vulnerability.
Craig:Look at what happened with Ethereum. I don't know if you remember, but when a theorem, first came out, there was a flaw with one of the smart contracts and millions of dollars where, one of the developers, the Ethereum developers exploited, the flaw, and the developer actually said I didn't steal the money. It was a flaw in the system, but obviously ethics are involved in that. But my point is that the consensus for the Ethereum had to do, what's called a hard fork and fork, the whole network, the whole blockchain. To fix that coding error. So my point is that even though the blockchain may be secure the technology because it's of the cryptography and then the mining and consensus and all the things that have to happen to add blocks to the chain the other things like the code of the software in this case, the smart contract code, if the code has a bug. And the whole point of smart contracts are reduce zero trust, no humans making decisions. They're all like if this happens, then this happens and then money is moved and exchanged and sent or whatever, all on autopilot. So if that code is wrong and there's a wrong wallet address in there or whatever.
BJ:It often is wrong. There's auditors that do this. And I interviewed one of them previously for a book you were writing. And literally he showed me a list because it's public knowledge of all of these different blockchains that were founded. Their code was falled. So again, that word layers comes to mind because what you're describing is a layer situation. So you have the blocks themselves that can't be changed. They're immutable, unless there was a majority attack, which is uncommon or rare. But other than that, there's all these different layers. The code itself could have flaws in it. And it does often, as we know, from the auditors that we'd spoken to, and then you have all the people's personal computers and their network and their IOT devices and their smart fridge that can affect everyone else on the net. So again, a layered problem. It's a layered situation. It's not just what people think. Oh crypto, every blockchain, it's all secure. It's all immutable. Nope.
Craig:And going back to stolen funds, whatever exchange you're on. The point is that if funds are moved without your authorization, even if you made a mistake, all of that's on a public blockchain. Have you ever seen one of those TV shows where they find a mass murderer from 30 years ago, whatever, then they convict them with DNA or something. It's the same thing. All these people like that lawyer that lost all that money, all this stuff is on the public record So when law enforcement catches up and forensics catch up and they chase the rabbit trail, eventually they're going to find where it is and now it might lead to an adversarial country, or it might lead to different cans. But look at what happened with the colonial pipeline. The FBI was able to successfully recover. What was it? It was a lot of money. It wasn't all of it.
BJ:That's a good point when that argument just falls apart when you really study it. The argument that crypto is, for criminals and cash is not, it falls apart when you study it because you'll never be able to find out what happened with the cash transaction last week, but you're right.
Craig:It's all public record
BJ:yeah, just because the mystery is not solved today, it doesn't mean it can't be looked at a later
Craig:that's my point. Eventually it'll catch up to you. Look at what happened with colonial pipeline. The mistake was they use an exchange to flip the crypto that they were collecting from the ransom fees paid. They then transferred that to Fiat, wherever they were and whatever country. And then that's how they got busted because the FBI was watching that exchange. They saw the transaction and that's how they got nailed. So my point is that all these we'll call them unsolved, crypto mysteries, all these unsolved crypto mystery. Your days are numbered if you're a criminal, because it's all on there. Now you may use, Bitcoin ATM there's all sorts of other things to kind of anonymize that criminals
BJ:but you can't large, huge transactions like they're doing at a Bitcoin ATM,
Craig:But my point is that maybe not all of it can be recovered, is all public record.
BJ:No you're right. That is all there. And data doesn't lie here. Right? Cause there's algorithms, right? That let's just take all the people in the FBI, out of the mix there's algorithms that literally are the framework, the fine of all of these chains. And they know that data is not going to go away. You're right. So when you look at it from that point of view, the argument that caches is the up and up way to to transfer money. And crypto is somehow dark. It makes no logical sense at all, because it's quite actually the opposite, I would say, because this is a system that every transaction is recorded.
Craig:Not only is it recorded, but there's something called KYC or know your customer and ID verification checks and things like that. So let's say with the colonial pipeline or whatever, somewhere in the world as there is more security and regulation eventually people are going to have to disclose, how did you just fall upon a hundred Bitcoins? And then obviously IRS and wherever else in the world, they're going to want tax money for that, because that's property or whatever, they decide but my point though is. with it all being public record my opinion is. Eventually it could be a solved crypto case from wherever.
BJ:Yeah. Now it's got the framework to be a far more secure system than cash could ever be.
Craig:Every transaction is recorded on that ledger. Even if you buy one of those ledgers or you buy a Trezor or other service or whatever, if you have Bitcoin or you have crypto, you're going to move it. You have to pay the transaction fees to move it. And that's the same for anybody. Even if you own the wallets, you still, if you're going to move it from wallet to wallet, you got to pay the fees. And then the reason why. You need to tell the world in the blockchain that your stuff doesn't live on this wallet anymore. It lives on this wallet and all of those transaction, all those blocks are recorded on the public ledger.
BJ:Yeah, you're right. It may be obscure and hard to read data right now, or hard to track data right now for where we are at technologically. But that doesn't mean it's going to stay that way and that data's not going anywhere stored, permanently.
Craig:All right. We should wrap up here. Thank you guys.
Erin:Yeah. Have a great weekend, everybody.