Is Bitcoin Secure?

CYBR650 Week 5

Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them. About the only thing you can’t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do. –Steve Job

Digital currency.  Just the thing tech-savvy individuals like you and I should be both concerned and excited about.  It’s been around for 7 years now and all indications are it’s here to stay.  So, is bitcoin the currency of the future or just another way to lose money with technology?  Digital currency certainly could have security concerns.  It seems to be used for all sorts of illegal activities. But then again, real currency can be used for illegal activities.  First, let me explain how Bitcoin works.

Bitcoin is decentralized digital currency also referred to as cryptocurrency.  First, it’s digital, meaning there are no coins or paper money exchanged.  It uses public key cryptography certificates on a peer-to-peer network of bitcoin users.  It’s decentralized, meaning there is no main database of transactions and no central authority.  The transactions are stored redundantly on all the user’s computers in a blockchain ledger (distributed database), broadcast to the network.  A transaction is broadcast in a process that prevents bitcoin from being spent twice or spent in two transactions at the same time, since the transactions are recorded on all the computers in the peer-to-peer network.  Each transaction creates a hash value that is stored with the transaction.  If the hash changes, the transaction information has been changed and is not trusted.  Another blockchain ledger entry will be used to validate the data.

Bitcoins are mined by allowing a computer to process bitcoin transactions as part of the peer-to-peer network.  Anyone allowing their computer to be used for the transactions gets a small bitcoin reward for participating and the new bitcoins are added to the blockchain.  Bitcoins are stored in a bitcoin wallet, either an application on your computer or cell phone that stores your bitcoins, a web based third party that stores them for you or a hardware wallet which stores the keys on specially designed removable media.  Only the person with the private cryptokey can spend the bitcoin.  The wallet stores the private keys and a record of anyone you exchange bitcoins with without actually knowing who the other person is since you only have an address for the person.  The address doesn’t have any personal information.  The address is actually just a number.

Key Characteristics

Open Source – nobody owns or controls bitcoin.  Once it was introduced to the world, it started being used and will only cease to exist if everyone stops using it.

Efficient – There’s no third party (bank or credit card company) processing the transaction, so it’s fast and reliable. 

Inexpensive - There’s no third party (bank or credit card company) processing the transaction, so it’s very low cost.  Credit cards typically charge 2 to 4% per transaction for processing (transferring the funds from the buyer’s bank to the seller’s bank).  This is cheap because there is no bank involved, only the buyer and seller.  The transaction is stored in the blockchain.

Anonymous – transaction is recorded but the two parties are untraceable.  Anyone can see how many bitcoin are in an address, but they can’t find out who has that address.  To increase anonymity, a person can use multiple addresses for a single transaction.  There’s no record of what was bought or sold.

Secure – Bitcoin uses SHA-256 encryption for transactions and verification.  The next section outlines the security problems that bitcoin has had so far.

Security

There have been four bitcoin security breaches, but the security problems weren’t bitcoin issues, they were the same security issues any network faces.  All involved attacks on bitcoin wallets or accounts.  The first breach one was a social engineering attack that stole a password to an email address used for a bitcoin account.  The second, the Mt. Gox bankruptcy, was caused by inadequate network security in what was at one time the largest bitcoin exchange.  What wasn’t stolen by hackers was lost to poor management.  The third, Silk Road 2.0 was an attack against the darknet website’s bitcoin account.  There is speculation that it was a cover-up for corruption within the illegal site.  The fourth breach, called the Pony botnet, stole passwords to 85 personal, locally stored bitcoin wallets.  The weakness exploited was the computer system security, not a weakness in the bitcoin algorithm. 

Bitcoin appears to be here to stay.  There’s even some talk about banks and other large financial organizations using blockchain technology for transactions.  So the bottom line seems to be, bitcoin is safe, quick, cheap and reliable--as long as you protect your digital wallet.  Once again we find the importance of good security practices.

Bitcoin image courtesy of Imgur, http://imgur.com/Jdszyq9

Snowden and the Panama Papers: A Comparison

CYBR650 Week 4

“There are pockets of wealth in this country. Mostly those pockets are in the politicians’ pants.” 
― Jarod Kintz, How to construct a coffin with six karate chops

I remember when I first heard about Edward Snowden’s leak of thousands of classified documents.  I remember distinctly feeling that what he had done was illegal and immoral and traitorous.  Last week when the Panama Papers were leaked I felt that something good had been done.   I immediately wondered what was fundamentally different about these two incidents.  On the surface, they’re very similar. There are also some important differences.  Is Snowden justified in what he did?  Is it morally any different than the reporters who disclosed the Panama papers?

Both were very large collections of documents that were never intended to be available to the public.  Both implicated political figures and government leaders for behavior that is generally considered inappropriate and unacceptable.  Both caused great political turmoil and both were major security incidents, at least for those whose documents were revealed. 

But there are some distinct differences as well.  Snowden was sworn to secrecy by the government whose documents he leaked.  The reporters who disclosed the Panama Papers didn’t break any laws as far as we know.  Snowden is considered by many a traitor, the reporters will probably get an award for great journalism.  Snowden revealed what he and many others felt were illegal and invasive practices by government agencies.  The Panama Papers may not show any illegal actions, only questionable behavior by politicians, not government agencies.

Purely from a security standpoint, Snowden broke the law.  He held a position of trust with a top secret security clearance.  He signed a non-disclosure agreement that basically says he wouldn’t reveal the secrets he learned while performing his duties.  Some have said took an oath “to protect and defend the constitution against all enemies foreign and domestic.”  Apparently, only military members and the president take that oath.  But even if he had taken the oath, many would argue he did not violate it as he felt the agencies were overstepping their authority.  Snowden feels he did what was morally correct, a higher standard of loyalty to the Constitution than to the law.

There’s no doubt in my mind the politicians implicated by the Panama Papers are dodging taxes and doing so legally, but in violation of the trust of the citizens they represent – at least those leaders who represent democratic governments. 

I still think what Snowden did was wrong.  It violated security laws.  However, he did act very morally, he did what he thought was right.  For that I applaud him.  I have more respect for Snowden than I ever will for any politician.  Many politicians consistently operate on the edge of laws, always being careful to obey the letter of the law, but somehow always violating the intent of it.  

Either way, we always end up with the human factor being the weakest link in security.

Passive Authentication: The Future of Security

CYBR650 Week 3

Without change there is no innovation, creativity, or incentive for improvement. Those who initiate change will have a better opportunity to manage the change that is inevitable.
William Pollard

Security Week blogger Kevin Townsend, a guy who’s been writing about information security for 15 years, published a blog post entitled Is Passive Authentication the Future for User Authentication?  My initial reaction was to be skeptical.  The concept of being passive about security goes against everything I’ve been taught in the last few years.  I took a deep breath and decided to explore with an open mind.

Everybody hates passwords.  They are a necessary evil.  Like shaving or changing the oil in your car, something that has to be done.  Those who reject this concept in the name of convenience threaten everyone’s security by being the weakness in the security structure.  But mobile computing has changed the landscape as people have pushed for easier security.  Passwords have been exchanged for PIN codes.  Banks and others who have higher security requirements have started using 2 step verification—you log in with a password or PIN and then must also provide a code that is sent to your Smart phone.  It’s much harder to steal login information because you have to have both parts to get in. 

Everything I was able to find on passive authentication was very technical in nature like this blog post by KidoZen which has a pretty good explanation.  But if you want the less technical version, read on…

Meet Bob, a young professional sales representative who is fully connected to the digital world through his technology.  Bob’s company feels strongly about security, but knows Bob will get around security if he’s given any opportunity to do so.  Bob logs into his corporate VPN with his chip enabled smart card and password on his corporate laptop when he’s away from the office.  Bob hates having to carry the card and has lost it on several occasions.  Bob’s company is tired of replacing them at $20 each.

Bob’s company decides to replace the smart card with a one-time-password application.  OTP apps work on a smart phone or other mobile device.  Bob had to set it up at work so the network trusts his phone and syncs the OTP which was a pain, but once it was done, all Bob has to do is open the app when he wants to login.  He provides his usual login password and the one-time password, a randomly generated number that the company and the smart phone both know.  It works great until Bob loses his cell phone. 

If Bob’s sales figures weren’t so high, they would fire him.  So they decide to try passive authentication.  When Bob logs into the VPN on his corporate laptop, the network recognizes the laptop as a trusted corporate computer.  The VPN also recognizes the network that Bob is logging in from, one of his regular customers.  Because the laptop and the location (network) are recognized, Bob only has to enter his password.  The laptop and recognized network provide the second factor.  Later, when Bob is at the airport bringing his latest sales contract back to corporate headquarters, he has to use the OPT app on his smart phone again since he’s not on a trusted network. 

Passive authentication relies on some known factor about the user or the user’s device to act as the 2^nd factor.  If only one factor is required it could be the device, so Bob wouldn’t need to use his password at all.  This will most likely be used first for mobile devices like smart phones (after it’s registered to the user) when they are on known networks (networks that are deemed secure). 

I don’t know if passive security is as safe as current active security measures, but I have no doubt that the convenience will drive the change to make it more secure.  Devices and networks will be configured to work with passive security systems.  

Someday Bob’s children will ask him to explain what a password is. 

Protecting your Environment: Threat Identification Sources

CYBR650 Week 2

I talk a lot about balance.  Security vs. access, freedom vs. privacy, cost vs. benefit.  But some things just have to be done, no balance required.

Security is about protecting information, and to do it well requires good information.  So what is a federal employee to do if they want to protect the data that has been entrusted to him or her? --The data of the millions of American citizens who depend on their government to protect them? This is a broad question that needs solid answers.  And I stress the significance of “federal employee” because I am one.  I have to work within the framework of regulations, policies and directives (and sometimes emails with strongly worded suggestions on what I should do).  Here is the list of useful information I look to for direction.  Many are Federal government specific; all but one are accessible to every American with an Internet connection.  So here they are in no particular order…

The NIST National Vulnerability Database – This is a repository of vulnerabilities that anyone can use to look for threats and vulnerabilities from very general to hardware or software specific.  NIST is a government agency charged with establishing standards for many government entities.  As of the date of this blog, there were 75,708 identified vulnerabilities.  The place to start looking is in the Vulnerability Search Engine, listed first under the NVD Primary Resources.  The title “Primary Resources” is accurate because it lists the most helpful ways to get information out of the database.

US CERT – The United States Computer Emergency Readiness Team’s National Cyber Awareness System (NCAS) provides a quick way to see current threats.  I would recommend subscribing to at least one of the choices they offer – Alerts, Bulletins and Tips, with the Current Activity link a good place to see what’s happening right now.

Security Blogs – I’m a big fan of Blogs.  They are a quick way to get relatively current information that has been compiled by a professional – if you use one of the reputable sites such as TechRepublic.  If you’re not sure, the Internet has some great suggestions like this blog from Marble Security listing the 10 Security Blogs You Should Be Reading.  Pick two or three to get a feel for what’s out there and then subscribe to the ones that are most helpful to you.

Directly Related to Your Work Environment – For me, this is the VA-NSOC –The Veterans Administration Network and Security Operations Center – While I can’t directly connect to the NSOC to show you what it’s about, it is a critical resource for me.  You should have a 24/7 resource within your organization you can call for help with urgent and critical security issues.  They are the first line of defense when you have an incident and they should be contacting you when they detect threats in your work environment so you can help them remove infected equipment or other action to deal with real-world threats to your network.

Data Breach analysis – One of the best resources you can look at when looking at what you need to defend against is a data breach analysis.  These reports tell you what has been attacked and also provides general guidelines for what you should be doing to defend against these attacks.

Education – You can do all of the above and you will be more effective at protecting your own network.  But one of the smartest moves you can make is to get a degree focused on cybersecurity.  These other resources will provide useful information and you will need to go to them often, but you also need to support it with a good general background in cybersecurity.  This will fill in the gaps in your knowledge so that you understand how the whole system works so you can better defend it.  

Security Requires Wisdom

CYBR650 Week 1

If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.  Omar Bradley

I’ve decided to change political parties this election season.  I’m pretty conservative in a lot of my viewpoints, but I’ve heard some good ideas presented by liberal politicians.  The problem is that the Republicans and Democrats are so busy trying to prevent the other side from getting their own way, they refuse to even consider reasonable discussion on practical matters.  For a while I thought the Green Party had some good ideas, but some of what they espouse was too socialist for me.  I also considered the Libertarian Party.  However, their focus on personal liberty seems a bit selfish or isolationist to me. 

So I declare my allegiance to the Centrist Party.  Centrists are traditional, but practical.  They balance individual rights with the greater good of all of society.  They hold the ideals of pragmatism over compromise.  The Centrists don’t have a candidate in the Presidential race that’s going on now, so I can’t vote for a declared Centrist, but I can choose a candidate who holds Centrist values.

So why all this talk about politics in a blog about security? 

Centrist ideals apply to the balancing act between freedom and security in politics, but they also apply to technology, the Internet and the Internet of Things.  We should embrace technology as it brings many benefits, but we have to do so with prudence and wisdom. 

The quote at the beginning of this post elegantly states that we have to use technology wisely, or we may end up destroyed by it.  We have to balance security and the freedom that technology brings.  In the ever escalating arms race of hackers vs. security practitioners, we need to balance protection with freedom.  Will there be casualties?  No doubt about it, but we have to be wise enough to build security into the Internet of Things and free enough to enjoy the benefits new technology brings.

Just as in our democracy we have to balance our personal liberties with the responsibility to our communities and fellow citizens, we can’t have perfect security and still travel around the world at will.  We can’t keep our airports and train stations completely terrorist free.  We can’t say no to all Muslims who want into our nation and we can’t throw the borders wide open.  We have to be wise in Centrist ways, not politicizing national security or Internet security, but seeking the greatest good for all.

A New Adventure Begins

Coming to the end of this course, or any endeavor, is always a mixed time for me.  Glad to be done and transition to something new, but at the same time, feel that there was more that could be learned if there was time to work on it.  It's the natural course of events.  I will develop my project management skills and I will be more capable of managing and planning for risks, but there is still lots of room for growth.  These skills will be useful in every work project, home project and any other collaborative efforts I undertake with others.

I don't feel like I really mastered any of the objectives of this course.  However, I am more confident about taking on bigger and more challenging tasks -- to take risks, but to do so with an analysis of the opportunities and pitfalls that they bring.  I'm a lot more comfortable with risk analysis techniques, the area I felt weakest in.  Working through the risk identification process is challenging, but not overwhelming anymore.  Logically working through the prioritization of risks will be easier with the tools we learned.

I believe that my technical writing skills are stronger from working on this degree.  As in any environment where humans interact, communication was challenging at times.  This is more true in an online course since we can't use the visual tools of body language and emotional clues.  When one tool is limited or unavailable, others abilities get stronger.  This forced me to work through the difficulties and find a way to gain understanding.

All in all, a great experience.  I used the word 'serendipity' at the beginning of this course to express the hopeful, expectant attitude that I came into this class with.  I leave it feeling that I gained knowledge and in ways that I didn't expect.  Knowledge is power.  It can be leveraged in ways I can't anticipate today, but I am better prepared for any future challenges.  I still would like to pursue the CAPM certification as I feel there is value in it.  I don't know if project management will be an occupation, but it will be used in every job I have.

Thank you for the support and patience you gave me all course long,

Paul

The Journey So Far

As I look back at the last six weeks, and my previous post, I still feel many of the same needs in my training.  I would still like to be a project manager and still feel the need for developing my skills.  I am gaining an understanding of risk as something that can be managed effectively.  Using the tools we are learning about will help reduce the uncertainty of projects.  Good analysis and planning will reduce the risks. It seems like the unknowns are not so unimaginable as they were six weeks ago.  I feel my lack of technical experience will be the biggest impediment to project success. Experience will fill in the rest of the areas where I'm weak.

The coursework still stretches me.  Staying focused and committed to the task at hand still sometimes is difficult, but I also feel like I'm getting a little better at scheduling and managing my time.  Writing is still work, but my thoughts seem more organized week by week.

I don't know if I will be successful in becoming a project manager.  To a large extent, it is dependent on the opportunities at work and positions that open up, but either way I feel more prepared to take on new challenges in whatever new endeavors I face in the future.