This article will highlight two of the most high-profile computer security violations of 2016, one in the public and second in a private sector. Both of these cases provide an excellent lesson to those involved in implementing solid security policies.
In a public sector, the largest security breach of this year occurred in Aug 2016, when hackers broke into Bitfinex the second largest Bitcoin exchange and made off with 119,756 bitcoins, an equivalent of more than $65 million USD at current prices. A lot of mystery still surrounds the event at Bitfinex. From what has been announced so far, the main reason for the security breach is Bitfinex’s way of securing client transactions. More specifically a use of a third party product called BitGo, which was introduced in 2015 to enhance the overall safety of the exchange. As per the news release, the Bitfinex partnered with BitGo in June of 2015, when Zane Tackett, Director of Community & Product Development at Bitfinex proudly announced that BitGo product adds an extra layer of security to all bitcoin transactions handled by Bitfinex. Tackett stated: “The era of commingling customer bitcoin and all of the associated security exposures is over.”. Little did they know, that within a year, the product that was portrayed as a game changer, will cause “the price of Bitcoin to tumble by more than 20% – following the news of the hack” (Mullen, 2016). Nor they could predict, that the Bitfinex theft will become the second largest loss of bitcoins since 2014 when Japanese Mt Gox lost 744,408 bitcoins (worth over 350 million USD). The reaction from BitGo was less than satisfactory, as the news broke, BitGo took to social media Twitter to state that an internal investigation had turned up “no evidence of a server breach on out end”. That is true perhaps, but one thing remains the fact that the BitGo security system allowed 120 thousand bitcoins to be withdrawn using a single transaction. The event alone, as security experts would later claim, should have raised all of the safety flags available. The security of all transactions was after all the one job BitGo was responsible for. The learning here is that all transactions should be tiered, and the future security systems need to start flagging the exchanges that are suspicious (high volume, etc.). As we can see, the automated procedures tend to be exploited. Thus future operations of this magnitude should not only be automatically marked as something likely doubtful but perhaps also manually double checked before being allowed to proceed. After all, a human intervention could have easily prevented this hack.
In a private sector, 2016 brought us a news of a hacking group OurMine successfully breaking into social accounts of some very popular public figures, such as
- Mark Zuckerberg
- Sundar Pichai
- Jack Dorsey
The OurMine Team is reportedly a group of young hacker from Saudi Arabia. To explain the hack, the OurMine hackers later released an announcement that the hack was possible due to the LinkedIn password dump dating to 2012, but recently leaked onto the Internet in summer 2016 (LinkedIn data dump, 2016). OurMine wasn’t a hack per se, but rather an exercise of exploiting a bad use of password security by “Mark Zuckerberg, Sundar Pichai and Jack Dorsey, who ironically are the world’s top tech executives” (Leadem, 2016). Because as it appears, the main reason for a hack of their social accounts was the use of the same credentials among different media networks. The Telegraph’s columnist James Titcomb later sighed “If Mark Zuckerberg’s password was ‘dadada’, what hope do the rest of us have?”. The Telegraph estimated, that Mark Zuckerberg’s password “dadada” is no different from “abcdef” as it would take less than 25 seconds to crack such a simple password by a brute force attack technique. In a conclusion, this hack shows the importance of a robust password policy and point to a fact that we should never share our passwords on multiple sites because sometimes it doesn’t matter how complicated our password is.
Mullen, J. (2016) Hackers steal bitcoins worth millions in attack on exchange. Available at: http://money.cnn.com/2016/08/03/technology/bitcoin-exchange-bitfinex-hacked/ (Accessed: 5 September 2016).
Redman, J. (2016) Bitfinex pays out First wave of customer refunds – Bitcoin news. Available at: https://news.bitcoin.com/bitfinex-pays-wave-refunds/ (Accessed: 5 September 2016).
Higgins, S., Bovaird, C. and Rizzo, P. (2016) The Bitfinex Bitcoin hack: What we know (and don’t know). Available at: http://www.coindesk.com/bitfinex-bitcoin-hack-know-dont-know/ (Accessed: 5 September 2016).
WIRE (2015) Bitfinex and BitGo partner to create world’s First real-time proof of reserve Bitcoin exchange. Available at: http://www.businesswire.com/news/home/20150603005462/en/Bitfinex-BitGo-Partner-Create-World%E2%80%99s-Real-Time-Proof (Accessed: 5 September 2016).
Leadem, R. (2016) The biggest hacks of 2016 — so far. Available at: https://www.entrepreneur.com/slideshow/279740 (Accessed: 5 September 2016).
LinkedIn data dump (2016) Available at: https://linkedin.thecthulhu.com/ (Accessed: 5 September 2016).